This topic describes how to configure single sign-on (SSO) for you to log on to Elastic Desktop Service (EDS) clients by using Azure Active Directory (AD). After SSO is configured, when a regular user logs on to an EDS client, the identity of the regular user needs to be verified in the Azure AD console. This helps you manage the logon of a regular user to clients in a secure and centralized manner.

Background information

SSO (also known as identity federation) is a secure communications technology that helps you access multiple application systems in a quick manner. It allows you to use a single logon to log on to multiple mutually trusted systems. The following section describes the terms related to SSO:
  • IdP: provides identity management services, collects and stores user identity information such as usernames and passwords, and authenticates user identities on user logons. AD FS and Shibboleth are two of the well-known IdPs.
  • service provider (SP): establishes mutual trust relationships with IdPs and uses the identity management services provided by IdPs to provide services to users.
  • Security Assertion Markup Language (SAML): a standard protocol that implements enterprise-level user identity authentication and that is used to exchange identity authentication and authorization data between IdPs and SPs.
EDS supports the Security Assertion Markup Language (SAML)-based SSO. If you used Azure AD to manage user accounts, you can configure convenience users in EDS to implement SSO in cloud desktops that are used by Azure AD users. In this case, EDS acts as the service provider (SP) and IDaaS acts as the identity provider (IdP). The providers exchange metadata files with each other to implement SAML-based SSO. After you configure SSO, you can use your logon credentials in Azure AD to log on to the EDS client in a secure manner.
Note Only software clients (Windows clients and macOS clients) and hardware clients (Alibaba Cloud cloud devices) support the SSO feature. Mobile clients (iOS clients and Android clients) and browser clients do not support the SSO feature.

Preparations

Create a workspace of the convenience account type in the EDS console and enable SSO for the workspace.
  • To create the workspace, log on to the EDS console. For more information, see Create a workspace of the convenience account type.
  • If you have created the workspace of the convenience account type, you can click the workspace ID on the Overview page to go to the workspace details page and enable the SSO feature.
Workspace details

Step 1: Create a convenience user whose name is the same as that of an Azure AD user in the EDS console

If an Azure AD user wants to use cloud desktops, you need to create a convenience user whose name is the same as that of the Azure AD user. When you create convenience users in the EDS console, you can use manual entry or batch entry to import user information. To import user information in batches, perform the following steps.
Note If you want to import information about a small number of users, you can specify user information in the EDS console. When you specify user information, make sure that the username of the convenience user is the same as that of the Azure AD user. The username is case-insensitive. For more information, see Create a convenience user.
  1. Download a CSV file that contains user information in Azure AD.
    1. Log on to the Azure AD console.
    2. In the left-side navigation pane, click Users.
    3. On the All users (Preview) page, check whether the credentials of the users are valid.

      Make sure that the username of the convenience user that you want to specify is the same as that of the Azure AD user. The username is case-insensitive. The username in Azure AD must use the format for EDS usernames. If the username format of Azure AD is invalid, you must modify the format. Otherwise, you cannot create the convenience user whose username is the same as that of the Azure AD user.

      The EDS username of the convenience user must be specified based on the following format:
      • The username must be 3 to 24 characters in length.
      • The username can contain lowercase letters, digits, and special characters, such as hyphens (-), underscores (_), and periods (.).
      • The first character of the username must be a lowercase letter.
    4. In the top navigation bar, click Bulk operations and select Download users.
      Batch download
    5. Follow the on-screen instructions to download information about the users.
      Download information about the users
  2. Use Microsoft Excel to open the CSV file, modify the user information based on the requirements on the username format for an EDS convenience user, and then save it as a CSV file.
    Before you modify the user information, take note of the following items:
    • When you modify user information, you must specify usernames in the first column and email addresses in the second column, and specify mobile numbers in the third column. The third column is optional.
    • In the CSV file that you downloaded from the Azure AD console, the userPrincpleName column is in the Username@Domain name format, and the prefix can be used as the username of a convenience user in EDS. If the value specified in the userPrincpleName column is the actual email address of the user, you can use the userPrincpleName column as the email column. If the actual email address is different from the email address that is specified in the userPrincpleName column, specify a valid email address.
  3. Create a convenience user in the EDS console.
    1. Log on to the EDS console.
    2. In the left-side navigation pane, click User management.
    3. On the User management page, click Create User.
    4. In the Create User panel, click the Batch entry tab.
    5. Click Select File and select the CSV file that you prepared in Step 2.
      When you upload the CSV file, the fields for user information in the file are automatically populated. After the CSV file is uploaded, you can check whether the information about all users is imported. If the import fails, check whether the information about users in the CSV file meets the format requirements.
    6. Click Close.
      After the convenience users are created, you can view the user information on the User management page.

Step 2: Create an application and assign the application to an Azure AD user

In the Azure AD console, you need to create an application that corresponds to EDS, and assign the application to Azure AD users who want to use cloud desktops. Perform the following steps:

  1. In the left-side navigation pane of the Azure AD console, click Enterprise applications.
  2. On the All applications page, click New application.
  3. In the top navigation bar, click Create your own application.
  4. In the dialog box that appears, enter the application name, select Integrate any other application you don't find in the gallery (Non-gallery), and then click Create.
    Create a new application
  5. Refresh the page and click the name of the application that you created.
  6. In the left-side navigation pane, click Users and Groups, and click Add user/group.
  7. In the Add Assignment page, select a user and click Assign.
    Assign the application to Azure AD users

Step 3: Configure EDS as a trusted SAML-based SP in the Azure AD console

To configure EDS as a trusted SAML-based SP in Azure AD, upload the metadata file of EDS to Azure AD. Perform the following steps:

  1. Obtain the SP metadata file in the EDS console.
    1. On the Overview page, find the workspace of the convenience account type and click the workspace ID.
    2. On the workspace details page, click Download File in the Metadata File section.
      The downloaded metadata file is saved in the download folder of your computer.
  2. Configure SSO for the application that corresponds to EDS in Azure AD.
    1. In the Azure AD console, launch the application that you created in Step 2.
    2. In the left-side navigation pane, click Single sign-on and select SAML.
    3. Click Upload metadata file.
    4. Select the SP metadata file that you downloaded in the EDS console and click Add.
    5. In the Basic SAML Configuration panel, check whether the values of the Identifier and Reply URL parameters are valid, and click Save.
      Note After you upload the SP metadata file, the values of the Identifier and Reply URL parameters are automatically populated. If automatic population fails, specify the values of the identifier and the reply URL in the Identifier and Reply URL fields.
      Configure SAML settings
      Open the SP metadata file that is stored on your computer and check whether the identifier and the reply URL are correct:
      • Identifier (Entity ID): the entityID value in the md:EntityDescriptor tag of the SP metadata file. Identifiers
      • Reply URL (Assertion Consumer Service URL): the Location value in the md:AssertionConsumerService tag of the SP metadata file. Reply URL

Step 4: Configure Azure AD as a trusted SAML-based IdP in the EDS console

To configure Azure AD as a trusted SAML-based IdP in the EDS console, upload the metadata file that is provided by Azure AD to EDS. Perform the following steps:

  1. Obtain the IdP metadata file in the Azure AD console.
    1. In the Azure AD console, launch the application that you created in Step 2.
    2. In the left-side navigation pane, click Single sign-on.
    3. In the SAML Signing Certificate section, click Download next to Federation Metadata XML.
      The downloaded metadata file is saved in the download folder of your computer. Download IdP
  2. In the EDS console, upload the IdP metadata file that is downloaded from Azure AD.
    1. On the Overview page, find the workspace of the convenience account type and click the workspace ID.
    2. On the workspace details page, click Upload File in the Metadata File section.
    3. Double-click the IdP metadata file and click OK.

Step 5: Check whether the SSO feature can be used to log on to the EDS client

Launch the EDS client. If the SSO feature is enabled for the workspace that you specified on the Configuration page, you are redirected to the enterprise IdP page for logon verification. Only software clients (Windows clients and macOS clients) and hardware clients (Alibaba Cloud cloud devices) support the SSO feature. To check whether you can log on to the EDS client by using SSO, perform the following steps. A Windows client is used in this example.

  1. Launch the EDS client that runs Windows OS.
  2. In the Configuration step, enter a workspace ID, select a network access mode, and then click Next.
    The ID of the workspace of the convenience account type is the same as the ID of the workspace for which the SSO feature is enabled. Set Network Access Mode to Access via Ali Cloud Network.
  3. On the Azure sign-in page to which you are redirected, follow the on-screen instructions to enter information about the Azure AD user for identity verification.
    Azure sign-in
    • If you can log on to the client, the configuration takes effect. Successful logon
      Note After SSO is configured, you can use the Azure AD account to log on to the EDS client. By default, no cloud desktop resources are available for the account. If you want to connect to a cloud desktop, log on to the EDS console to create a cloud desktop and assign the cloud desktop to a convenience user whose name is the same as that of the Azure AD account. For more information, see Create a cloud desktop and Assign cloud desktops to regular users and view the regular users to whom the cloud desktops are assigned.
    • If an error occurs on the Azure sign-in page, troubleshoot the error based on the error message.
      For example, the following error message specifies that the application that corresponds to EDS is not assigned to the user. You can refer to Step 2 to troubleshoot the error. Error message
    • If an error message prompts you that your identity failed to be verified from the EDS client, check whether the SSO configuration is valid.
    • If an error message prompts you that an internal error occurs in the EDS client, check whether the convenience user whose username is the same as that of the Azure AD account exists in the EDS console.

What to do next

If a new user wants to use cloud desktops, perform the following operations:
  1. Create a user in the Azure AD console and assign the application that corresponds to EDS to the user.
  2. Create a convenience user in the EDS console whose name is the same as that of the Azure AD user that you created.
  3. Create cloud desktops and assign the cloud desktops to the new convenience user.