This topic describes how to configure single sign-on (SSO) for WUYING Workspace (Pro Edition) by using Active Directory Federation Service (AD FS). After SSO is configured, end users use the credentials of AD FS users to connect to cloud computers, and the credentials of AD FS users are automatically used for authentication. This helps improve security and efficiency.
Background
Single sign-on (SSO), also known as identity federation, is a secure communications technology that allows you to access multiple application systems in an efficient manner. SSO also allows you to use a single logon to log on to multiple trusted systems.
Terms:
Identity provider (IdP): an entity that contains the metadata of an external identity provider. An IdP provides identity management services, collects and stores user identity information such as usernames and passwords, and verifies user identities on user logons.
Common IdPs:
On-premises IdPs: use on-premises architecture, such as Microsoft Active Directory Federation Service (AD FS) and Shibboleth.
Cloud IdPs: use cloud architecture, such as Azure AD, Google Workspace, Okta, and OneLogin.
Service provider (SP): an application that uses the identity management feature of an IdP to provide users with specific services based on trust relationships with IdPs. In specific identity systems that do not comply with the Security Assertion Markup Language (SAML) protocol, such as OpenID Connect (OIDC), SP is the relying party of an IdP.
SAML: a protocol that is designed for enterprise grade user identity authentication. The SAML protocol can be used to establish communication between an SP and an IdP. SAML is a de facto standard that is used by enterprises to implement SSO.
OpenLDAP: an open source implementation of Lightweight Directory Access Protocol (LDAP). OpenLDAP is widely used to manage users, computers, networks, and other resources within an enterprise. OpenLDAP is referred to as LDAP.
Alibaba Cloud OAuth 2.0 Service: an application that can be used to authenticate users, authorize applications, and generate tokens that represent user identities for use by authorized applications.
Procedure
If your enterprise uses AD Domain Service (AD DS) to manage users, you can configure SSO between AD FS and WUYING Workspace (Pro Edition). In this case, WUYING Workspace (Pro Edition) serves as a service provider (SP), and AD FS serves as an identity provider (IdP). Both of them exchange their metadata files based on the Security Assertion Markup Language (SAML) protocol to implement SSO. This topic describes how to implement SSO for WUYING Workspace (Pro Edition) by using AD FS.
If your enterprise AD system is integrated to WUYING Workspace (Pro Edition) and an AD office network is created, you can implement SSO for AD users. For more information, see Implement SSO for WUYING Workspace for AD users by using AD FS.
Step 1: Create convenience users whose usernames are the same as those of AD users
In AD scenarios, if you create an AD office network in WUYING Workspace (Pro Edition) to integrate with your enterprise AD system for SSO, WUYING Workspace (Pro Edition) can obtain the information about your AD system. Alternatively, you can create convenience users in WUYING Workspace by using the information about AD users in the AD system to implement SSO. This way, the logon credentials of convenience users are authenticated in AD FS. If the authentication succeeds, end users that use the convenience users can log on to WUYING terminals and connect to cloud computers. When you configure SSO, you must create convenience users whose usernames are the same as those of the AD users in AD FS.
In the Create User panel of the WUYING Workspace (Pro Edition) console, you can select the Manual Entry or Batch Entry tab to create convenience users by manually entering or importing information about multiple users at the same time. If you want to create a small number of users, you can manually enter the information about the users on the Manual Entry tab. If you want to create a large number of users, you can import information about the users by using a specified file on the Batch Entry tab.
When you enter information in the file, make sure that the usernames of convenience users are the same as those of AD users. The usernames are not case-sensitive.
Before you import user information, refer to the following sections to prepare a .csv file. The file is used to create convenience users in a valid format.
Create a .csv file that contains the AD user information on the AD domain controller of your enterprise.
Check whether the existing information of AD users meets the requirements for creating convenience users.
The usernames of the AD users must follow the format requirements to create convenience usernames in WUYING Workspace. Otherwise, you cannot create convenience users that correspond to AD users.
When you create a convenience user, the following format requirements must be met:
The username must be 3 to 24 characters in length.
The username can contain lowercase letters, digits, and special characters, including hyphens (-), underscores (_), and periods (.).
The username must start with a lowercase letter.
Run the
Get-ADUsercommand in PowerShell to export the .csv file that contains the AD user information.You can run the following commands based on your business requirements. For example, if you want to export a .csv file that contains all AD user information and save the file to a specific path, run the following command:
Get-ADUser -filter * | export-csv <File path> -Encoding utf8If the name of the file is test.csv and you want to save the file to
C:\Users, run the following command:Get-ADUser -filter * |export-csv C:\Users\test.csv -Encoding utf8
Use Excel to open the test.csv file and enter or modify the user information. Make sure that the entered or modified information in the file meets the format requirements to create convenience users. Then, save the file.
When you modify user information, take note of the following items:
Formats:
User-activated convenience users: The first column is Username, the second column is Email address, and the third column is Phone. The third column is optional.
Administrator-activated convenience users: The first column is Username, the second column is Email, the third column is Phone, and the fourth column is Password. The second and third columns are optional.
In the test.csv file, the values in the SamAccountName column must be specified in the Username column, and the values in the UserPrincipalName column must be specified in the Email column of the file to create convenience users. If the actual email address differs from the email address that is specified in the UserPrincipalName column, specify the actual email address.
After you prepare the .csv file, click the Batch Entry tab in the WUYING Workspace (Pro Edition) console to batch create convenience users. For more information, see Create a convenience user.
After you create a convenience user that corresponds to an Azure AD user, assign a cloud computer to the convenience user at the earliest opportunity. For more information, see Assign cloud computers or cloud computer pools to convenience users.
Step 2: Configure AD FS as a trusted SAML IdP in WUYING Workspace (Pro Edition)
You can upload the AD FS metadata file to WUYING Workspace (Pro Edition) to configure AD FS as a trusted SAML IdP in WUYING Workspace (Pro Edition).
On the AD FS side, go to the following URL to download the IdP metadata file to your local computer:
URL:
https://<ADFS server>/FederationMetadata/2007-06/FederationMetadata.xml. <ADFS Server> specifies the domain name or IP address of the AD FS server.Upload the AD FS metadata file to the WUYING Workspace (Pro Edition) console.
Log on to the WUYING Workspace console.
In the left-side navigation pane, choose Network & Storage > Office Network (Formerly Workspace).
On the Office Network (Formerly Workspace) page, find the office network for which you want to enable SSO and click the ID of the office network.
In the left-side navigation pane of the office network details page, click the Other tab.
In the Other section, enable SSO and upload the metadata file.
SSO: Enable or disable the SSO feature.
By default, the SSO feature is disabled. When the feature is disabled, SSO configurations do not take effect.
IdP Metadata: Click Upload File to upload the metadata file.
If the status of the IdP Metadata parameter is Completed, AD FS is configured as a trusted SAML IdP.
Step 3: Configure WUYING Workspace (Pro Edition) as a trusted SAML SP in AD FS
To configure WUYING Workspace (Pro Edition) as a trusted SAML SP, you must upload its metadata file to AD FS.
Obtain the metadata file in the WUYING Workspace (Pro Edition) console.
Log on to the WUYING Workspace console.
In the left-side navigation pane, choose Network & Storage > Office Network (Formerly Workspace).
On the Office Network (Formerly Workspace) page, find the office network for which you want to enable SSO and click the office network ID.
In the left-side navigation pane of the office network details page, click the Other tab.
On the Other tab, click Download Application Metadata File to the right of Application Metadata.
The downloaded metadata file is automatically saved to the Download folder of your local computer.
Upload WUYING Workspace (Pro Edition) metadata file to AD FS and configure WUYING Workspace (Pro Edition) as the trusted party.
Log on to the server of AD FS and launch Server Manager.
In the upper-right corner of the Server Manager page, choose .
In the left-side navigation pane of the AD FS dialog box, choose .
In the Actions section on the right side of the page, click Add Relying Party Trust.
Add the relying party trust by following the steps in the on-screen wizard.
In the Select Data Source step, select Import data about the relying party from a file and import the SP metadata file that you obtained in Step 1. Use the default settings for other parameters.
Modify the claim issuance policy of the relying party trust and configure SAML assertion attributes for the SP.
In the list of relying party trusts, right-click the relying party trust that you added in the previous step and select Edit Claim Issuance Policy.
In the dialog box that appears, click Add Rule.
Configure claim rules as prompted.
Configuration description:
In the Choose Rule Type step, select Transform an Incoming Claim from the Claim rule template drop-down list.
In the Configure Claim Rule step, select UPN from the Incoming claim type drop-down list and Name ID from the Outgoing claim type drop-down list.
What to do next
After the SSO settings are complete, end users use the logon credentials of Azure AD users to access cloud computers. The following section describes how to implement SSO for Azure AD users to connect to cloud computers. In the following section, the Windows client of Alibaba Cloud Workspace is used.
Launch the Windows client of Alibaba Cloud Workspace as an end user.
On the Pro Edition logon page (formerly Enterprise Edition) page, enter the ID of the office network for which you enabled SSO.
On the AD FS logon page, enter the information about a convenience user that corresponds to an AD user. The AD FS system authenticates the user credentials.
If the authentication succeeds, you can log on to the client. Cloud computers that are assigned to the user are displayed as cards. You can place your pointer on the card of the cloud computer to which you want to connect and click Connect Cloud Computer.