Configure custom organization IDs - Elastic Desktop Service

Elastic Desktop Service (EDS) allows you to configure custom organization IDs to facilitate connection to cloud desktops across workspaces and view the logon verification modes of workspaces in which the cloud desktops reside. Custom organization IDs can be used as unique identifiers for enterprises. End users can also use custom organization IDs to log on to Alibaba Cloud Workspace clients and connect to cloud desktops. This topic describes how to configure a custom organization ID.

Prerequisites

Note The custom organization ID feature is in invitational preview. If you want to use this feature, submit a ticket.

A workspace of the convenience account type is created. For more information, see Create or delete a convenience workspace.
A convenience user is created. For more information, see Create a convenience user.

Background information

To help you better understand the custom organization ID feature in EDS, you must understand the specific terms. The following table describes the terms.


Term	Description
SAML 2.0	A protocol that is designed for enterprise-grade user identity authentication. Security Assertion Markup Language 2.0 (SAML 2.0) is used for communication between service providers (SPs) and identity providers (IdPs). SAML is a standard that is used by enterprises to perform single sign-on (SSO).
SP	An application that uses the identity management feature of an IdP to provide users with specific services. SPs uses the user information that is provided by IdPs. In some identity systems, such as OpenID Connect (OIDC), that do not comply with the SAML protocol, SP is known as the relying party of an IdP.
IdP	An entity that provides identity management services. Identity providers (IdPs) are classified into the following types: IdPs that use the on-premises architecture, such as Microsoft Active Directory Federation Service (AD FS) and Shibboleth IdPs that use the cloud-based architecture, such as Azure AD, Google Workspace, Okta, and OneLogin

Feature description

End users can use a custom organization ID to connect to cloud desktops in different workspaces with a few clicks. Administrators can use a custom organization ID to view workspaces for which logon verification is configured in an efficient manner and also use the organization ID to verify client logons.

Compare logon management between organization IDs and workspace IDs

The following table describes the differences between the logon methods and security settings that you can configure when you use organization IDs and workspace IDs.


Item	Organization ID	Workspace ID
Logon for end users across workspaces	Supported. End users that log on to clients and connect to cloud desktops can switch between cloud desktops across workspaces.	Not supported. End users can log on to clients and connect to cloud desktops only in the same region.
Desktop management for administrators across workspaces	Supported. Administrators can manage cloud desktops across workspaces by using organization IDs.	Not supported. Cloud desktops are managed by workspace.
Multi-factor authentication (MFA), client logon verification, and SSO	Supported.	Supported.
Account authentication	Supported.	Not supported.
Easy to remember	Yes. Custom organization IDs can be configured and are easy to remember.	No. Workspace IDs are generated by the system and are difficult to remember.

Limits

Before you use the custom organization ID feature, you must take note of the following limits:

Custom organization IDs can be configured only for convenience users.
Custom organization IDs are supported by only the following clients: Windows client, macOS client, iOS client, Android client, Web client. Make sure that the version of Windows client and macOS client is 5.0 or later.
You cannot delete custom organization IDs.

Configure an organization ID

The following section describes how to configure an organization ID.

Log on to the EDS console.
In the left-side navigation pane, choose Desktops and Groups > Workspace.
In the upper-right corner of the Workspace page, click Configure Organization ID.
The first time you log on to the EDS console, the Configure Organization ID dialog box appears. You can select Configure or Do Not Remind Me Again based on your business requirements.
In the Configure Organization ID panel, follow the on-screen instructions to enter an organization ID.
Select whether to enable Skip Organization ID based on your business requirements.
If the feature is enabled, end users do not need to enter the organization ID when they connect to cloud desktops from hardware clients.
Click OK.
After the organization ID is configured, the message The organization ID is configured appears, and the system automatically notifies end users by email. A message that indicates whether to migrate the current workspace appears. You can determine whether to migrate the workspace for which logon verification is enabled based on your business requirements. For more information, see Migrate a workspace to an organization ID.

Configure logon verification

The logon verification of organizations is isolated from that of workspaces. End users can choose to log on to clients by using organization IDs or workspace IDs based on their business requirements. They must comply with the rules of the verification methods that you configure for either logon method. After a verification method is configured for a workspace, the verification method of the workspace still takes effect even after the workspace is migrated to an organization.

After you configure a custom organization ID, you cannot delete the custom organization ID. You can determine whether to use the organization ID to verify client logons. To configure logon verification, perform the following operations:

In the upper-right corner of the Workspace page in the EDS console, click Manage Organization ID.

On the Organization ID Management page, configure parameters based on your business requirements. The following table describes the parameters.


Parameter	Description
Organization ID	Follow the on-screen instructions to change the organization ID. Note After you change the ID of an organization, the system notifies end users by email. End users can connect to cloud desktops based on the notifications.
Skip Organization ID	By default, the feature is disabled. If you enable this feature, end users do not need to enter organization IDs when they connect to cloud desktops from hardware clients whose serial numbers (SNs) are registered in the EDS console.
Client Logon Verification	By default, the feature is disabled. If you enable this feature, end users must use the verification code that is sent to their email addresses when they change logon devices. Only end users that enter correct verification codes can connect to cloud desktops by using new logon devices. Note This feature is supported only by workspaces whose Connection Method parameter is set to Internet. To prevent verification conflicts, enable only one of the Client Logon Verification, MFA, and SSO features for a workspace.
MFA	By default, the feature is disabled. If you enable this feature, end users must pass multi-factor authentication before they can connect to cloud desktops in the workspace. Before end users can connect to cloud desktops in the workspace, the end users must first enter the correct username and password and then enter the verification code that is generated by the associated virtual multi-factor authentication (MFA) device, such as an Alibaba Cloud app. Note To prevent verification conflicts, enable only one of the MFA, Client Logon Verification, and SSO features for a workspace. For example, if you want to enable the SSO feature for a workspace for which the MFA feature is enabled, you must first disable the MFA feature.
Trusted Device Authentication	By default, the feature is disabled. If you enable this feature, end users can connect to cloud desktops in the workspace by using only the Hardware clients that are associated with the end users. Before you enable this feature, associate Hardware clients with end users For more information about specific operations, see Manage hardware clients.
SSO	By default, the feature is disabled. If you enable this feature, end users can use the trusted entity that is configured for SSO to connect to cloud desktops in the workspace from clients. This feature allows end users to access all trusted systems after they log on to any one of the trusted systems. Note To prevent verification conflicts, enable only one of the SSO, Client Logon Verification, and MFA features for a workspace.
Account Authentication	By default, the feature is disabled. If you enable the SSO feature, we recommend that you also enable the Account Authentication feature. This way, end users can use convenience accounts to connect to cloud desktops.
IdP	Add an IdP Note You can add up to 10 IdPs. Click New IdP. In the New IDP panel, enter an IdP name and select a protocol. Click OK. After you add an IdP, the SSO feature does not immediately take effect. You must configure SSO for the IdP before the SSO feature takes effect for the IdP. Change an IdP name Find the IdP Name that you want to change and click View Details in the Actions column. In the Edit IdP panel, change the IdP name and click OK. Download or upload the SSO metadata file based on your business requirements. Click OK. Delete an IdP Find the IdP that you want to delete and click Delete in the Actions column. In the Warning message, confirm the IdP that you want to delete and click Confirm. Disable an IdP Find the IdP that you want to disable and click Disable in the Actions column. Enable an IdP Find the IdP that you want to enable and click Enable in the Actions column.

Migrate a workspace to an organization ID

After an organization ID is configured, the system automatically obtains the information about the workspaces for which logon verification is enabled. In this case, you can view the logon verification methods of multiple workspaces if you migrate the workspaces to the organization ID.

Prerequisites

Before you migrate a workspace, you must make sure that logon verification is enabled for the workspace that you want to migrate, and the logon verification method, such as MFA, client logon verification, or SSO, is specified.

Note

On the Overview page in the EDS console, select the Cloud Desktops or Desktop Groups tab, and then click the ID of the workspace that you want to migrate. In the Security section, check whether MFA, SSO, or client logon verification is enabled.
MFA, SSO, and client logon verification are exclusive with each other. If you enable one method, you cannot enable the other methods.

Procedure

Log on to the EDS console.
In the left-side navigation pane, choose Desktops and Groups > Workspace.
In the upper-right corner of the Workspace page, click Manage Organization ID.
On the Manage Organization ID page, click Migrate Workspace Configuration.
In the Migrate Workspace Settings to Organization ID panel, select one or more workspace IDs from the Workspace Configured MFA/Client Logon Verification drop-down list and click Migrate to Organization ID.
Select the ID of the workspace that you want to migrate from the Workspace Configured SSO drop-down list, and then click Migrate to Organization ID in the Actions column.
After the migration is complete, the message indicating successful migration appears.
Click Keep Settings.