This topic describes how to configure single sign-on (SSO) for you to log on to Elastic Desktop Service (EDS) clients by using Alibaba Cloud Identity as a Service (IDaaS). After SSO is configured, when a regular user logs on to an EDS client, the identity of the regular user needs to be verified in the IDaaS console. This helps you manage the logon of a regular user to clients in a secure and centralized manner.

Background information

SSO (also known as identity federation) is a secure communications technology that helps you access multiple application systems in a quick manner. It allows you to use a single logon to log on to multiple mutually trusted systems. The following section describes the terms related to SSO:
  • IdP: provides identity management services, collects and stores user identity information such as usernames and passwords, and authenticates user identities on user logons. AD FS and Shibboleth are two of the well-known IdPs.
  • service provider (SP): establishes mutual trust relationships with IdPs and uses the identity management services provided by IdPs to provide services to users.
  • Security Assertion Markup Language (SAML): a standard protocol that implements enterprise-level user identity authentication and that is used to exchange identity authentication and authorization data between IdPs and SPs.

IDaaS provides a set of services for enterprises to manage identities, permissions, and applications in a centralized manner. The services include Enterprise Identity and Access Management (EIAM) and Customer Identity and Access Management (CIAM). You can use EIAM to manage the identities of your employees and integrate all identities of internal office systems, business systems, and third-party Software as a Service (SaaS) systems that are deployed in your data center or on the cloud. This way, you can use one account to access services that are used by all applications. For more information, see What is IDaaS?

EDS supports the Security Assertion Markup Language (SAML)-based SSO. If you used EAIM in IDaaS to manage user accounts, you can configure convenience users in EDS to implement SSO in cloud desktops that are used by IDaaS users. In this case, EDS acts as the service provider (SP) and IDaaS acts as the identity provider (IdP). The providers exchange metadata files with each other to implement SAML-based SSO. After you configure SSO, you can use your logon credentials in IDaaS to log on to the EDS client in a secure manner.

Step 1: Create a convenience user whose username is the same as that of an IDaaS user in the EDS console

If an IDaaS user needs to use cloud desktops, you can create a convenience user whose username is the same as that of the IDaaS user. When you create convenience users, you can use manual entry or batch entry to import user information. To import user information in batches, perform the following steps.
Note If you want to import information about a small number of users, you can specify user information in the EDS console. When you specify the information about a convenience user, make sure that the username of the convenience user that you specify is the same as that of the IDaaS user. The username is case-insensitive. For more information, see Create a convenience user.
  1. Export user information in the IDaaS console.
    1. Log on to the IDaaS console.
    2. On the EIAM instances page, click the ID of the instance that you want to manage.
    3. In the left-side navigation pane, choose Users > Organizations and Groups.
    4. Select an organization and a group. On the right side, check whether the account name meets the requirements that are specified in the account list.

      Make sure that the username of the convenience user is the same as that of the IDaaS user. The username is case-insensitive. The username in IDaaS must use the format for EDS usernames. If the username format of IDaaS is invalid, you need to recreate an IDaaS user that meets the requirements of the EDS username format. Otherwise, you cannot create the convenience user whose name is the same as that of the IDaaS user.

    5. In the upper-right corner of the account list, click Export, and click Account in the lower part of EXCEL.
    6. In the message that appears, click OK.
      The exported Excel file that contains IDaaS user accounts is saved in the download folder of your computer.
  2. Open the Excel file, modify the user information based on the format requirements on the entry file of EDS convenience users, and then save the file in the CSV format.
    Before you modify user information, take note of the following items:
    • When you modify user information, you must specify usernames in the first column and email addresses in the second column, and specify mobile numbers in the third column. The third column is optional.
    • In the exported Excel file that contains information about IDaaS users, the username column and email column in the exported file are used as the username column and email column of EDS convenience users. If the email column is empty, add the email addresses.

Step 2: Add an application to IDaaS and configure EDS as a trusted SAML-based SP

In the IDaaS console, you must add an application that corresponds to EDS, configure EDS as a trusted SAML-based SP, and then grant the permissions on the application to IDaaS users that want to use cloud desktops.

  1. In the IDaaS console, add the application that corresponds to EDS, and configure EDS as a trusted SAML-based SP.
    1. In the left-side navigation pane, choose Applications > Add Application.
    2. Enter SAML in the search box, find the SAML application that you want to add, and then click Add Application in the Actions column.
    3. In the Add Application (SAML) panel, click Add SigningKey.
    4. In the Add SigningKey panel, specify the required information and click Submit.
      Select 2048 as the key size.
    5. In the Add Application (SAML) panel, find the SigningKey, and then click Select.
    6. Specify the application information and click Submit.
      Upload an SP
      Specify the following parameters based on your business requirements:
      • Application Name: The default value SAML is used. Specify a name that is easy to identify.
      • IDP IdentityId: Specify a custom value.
      • SP Entity ID: Enter the entityID value in the md:EntityDescriptor tag. The tag is specified in the SP metadata file that you obtained in Step 1. Identifiers
      • SP ACS URL (SSO Location): Enter the Location value in the md:AssertionConsumerService tag. The tag is specified in the SP metadata file that you obtained in Step 1. Reply URLs
      • NameIdFormat: Select urn:oasis:names:tc:SAML:2.0:nameid-format:transient.
      • Account Linking Type: Select Account mapping.
  2. Grant the permissions on the application to the IDaaS users that want to use cloud desktops.
    1. On the Application List page, find the SAML application that corresponds to EDS and click Authorize in the Actions column.
    2. Click Authorize Accounts by Application. In the account list, select the account that you want to authorize and click Save.
      Authorize accounts
    3. In the message that appears, click OK.

Step 3: Configure IDaaS as a trusted SAML-based IdP in the EDS console

To configure IDaaS as a trusted SAML-based IdP in the EDS console, upload the metadata file that is provided by IDaaS to EDS. Perform the following steps:

  1. In the IDaaS console, obtain the IdP metadata file.
    1. On the Application List page, find the SAML application that corresponds to EDS and click Details in the Actions column.
    2. In the Application Information section, click View Details.
    3. On the application details page, click Export IDaaS SAML Meta Profile.
      The metadata file that you downloaded is saved in the download folder of your computer.
  2. In the EDS console, upload the IdP metadata file that is provided by IDaaS.
    1. On the Overview page, find the workspace of the convenience account type and click the workspace ID.
    2. On the workspace details page, click Upload File in the Metadata File section.
    3. Double-click the IdP metadata file that you want to upload and click OK.

Step 4: Check whether you can log on to the EDS client by using SSO

  1. Launch the Windows EDS client.
  2. In the Configuration step, specify a workspace ID, select a network access mode, and then click Next.
    The ID of the workspace of the convenience account type is the same as the ID of the workspace for which SSO is enabled. For more information, select Access via Ali Cloud Network.
  3. On the IDaaS logon page, follow the on-screen instructions to enter the IDaaS account information for identity verification.
    • If you can log on to the client, SSO settings take effect.
      Note After SSO is configured, you can use an IDaaS account to log on to the EDS client. By default, no cloud desktop resources are available for the account. If you want to connect to cloud desktops, log on to the EDS console to create cloud desktops and assign the cloud desktops to a convenience user whose username is the same as that of your IDaaS account. For more information, see Create a cloud desktop and Assign cloud desktops to regular users and view the regular users to whom the cloud desktops are assigned.
    • If an error occurs on the IDaaS logon page, troubleshoot the error based on the error message.
    • If an error message indicating that your identity failed to be verified by the EDS client appears, check whether the SSO configuration is valid.
    • If an error message indicating that an internal error occurred in the EDS client appears, check whether the convenience user whose username is the same as that of your IDaaS account exists in the EDS console.

What to do next

If a new user wants to use cloud desktops, perform the following operations:
  1. Create an account in the IDaaS console and assign the application that corresponds to EDS to the account.
  2. Create a convenience user in the EDS console. Make sure the username is the same as the IDaaS user that you created.
  3. Create cloud desktops and assign the cloud desktops to the new convenience user.