All Products
Search

This Product

    Elastic Desktop Service:Configure SSO for EDS by using LDAP

    Document Center

    Elastic Desktop Service:Configure SSO for EDS by using LDAP

    Last Updated:Aug 23, 2024

    This topic describes how to configure single sign-on (SSO) for Elastic Desktop Service (EDS) by using Lightweight Directory Access Protocol (LDAP). If you want to quickly log on to Alibaba Cloud Workspace terminals and connect to cloud computers by using LDAP accounts, refer to operations described in this topic.

    Limits

    LDAP-based SSO for EDS supports logons to Alibaba Cloud Workspace terminals only by using organization IDs.

    Prerequisites

    An LDAP server is deployed and configured.

    Step 1: Create an LDAP-based enterprise identity source

    1. Log on to the EDS console.

    2. In the left-side navigation pane, choose Users & Logons > Enterprise Identity Sources.

    3. On the Enterprise Identity Source page, click LDAP.

      If this is not your first time to configure SSO, you must click Add Enterprise Identity Source and then select LDAP.

    4. In the Add Enterprise Identity Source panel, configure parameters and click Confirm. The following table describes the parameters.

      Parameter

      Description

      Example

      Name

      Enter a name for the enterprise identity source that you want to add.

      LDAP

      Type

      Select the type of enterprise identity source.

      LDAP

      Server Type

      Select a protocol and enter the address of the LDAP server. The ldaps:// and ldap:// protocols are supported.

      If you select ldap://, we recommend that you enable StartTLS to enhance data transfer security. StartTLS can be used in the LDAP certificate. For more information, see the description of the Verify Certificate parameter in this topic.

      Note

      • For the ldaps:// protocol, port 636 is used.

      • For ldap:// or StartTLS protocol, port 389 is used.

      ldaps://127.0.0.1:636

      BASE DN

      Enter a base distinguished name (DN), which is a path identifier of a directory information tree. By default, a root directory is used. A base DN is a sequence of relative distinguished names that are connected by commas.

      DN format: ou=Sample organization, dc=example, dc=com.

      In most cases, the DN of the root directory is dc=example, dc=com. That is, the DN is your domain.

      dc=example, dc=com

      Administrator DN

      Enter an administrator DN. EDS uses an LDAP administrator account to read LDAP server information to synchronize data and complete delegated authentication. Make sure that the account at least has the read permissions and the account is in the DN format.

      cn=admin, cn=User, dc=example, dc=com

      Administrator Password

      Enter the password of the administrator DN.

      Ytest001

      Certificate Verification

      If you set Server Type to ldaps:// or to ldaps:// and enable StartTLS at the same time, we recommend that you verify your LDAP certificate. You can record the fingerprint of the certificate to establish a trust relationship between EDS and LDAP to prevent hijacking and forgery of the LDAP certificate. If you do not verify LDAP certificates, this may impose security risks to data.

      To verify your LDAP certificate, perform the following steps:

      1. Set Verify Certificate to Certificate Fingerprint.

      2. Click Obtain. Then, the certificate is autopopulated based on the preceding configurations.

        Note

        If an error occurs, check whether the configurations of the LDAP server are valid.

      34fd9df0de731df621e48763fa1b5cd7a3f50e5a2050df1dee059c849e4b****

      (Optional) User Logon Identifier

      Specify attributes as the logon identifiers. When users of the LDAP server log on to Alibaba Cloud Workspace terminals, EDS validates LDAP users and their passwords based on the attributes. If the password of an LDAP user matches, the SSO for EDS succeeds.

      Note

      • Multiple attributes are separated by commas (,), and the attributes are in the logical OR relationship. This indicates that any of the attribute is a logon identifier.

      • Make sure that multiple attributes that you configured are unique and correspond to the same LDAP user. Otherwise, the user fails to log on to Alibaba Cloud Workspace terminals. Default value: cn.

      cn,mail

      (Optional) ObjectClass

      Specify an object class. An object class is the collection of attributes that correspond to a type of object in LDAP. You can use ObjectClass to identify the class, of which an object is a user. For example, ObjectClass=user specifies that objects of the user class are users. Default value: posixAccount,inetOrgPerson,top.

      Note

      If you separate multiple attributes of an object class with commas (,), the attributes are in the logical AND relationship.

      posixAccount,inetOrgPerson,top

    Step 2: Create a user whose username is the same as that of an LDAP user

    After you create an LDAP-based enterprise identity source, you need to establish a trust relationship between LDAP users and EDS. To do so, you need to create a user whose username in the EDS console for SSO. The username is the same as that of an LDAP user.

    1. In the left-side navigation pane, choose Users & Logons > Users & Organizations.

    2. On the Users & Organizations page, click the User tab and click Create User.

    3. In the Create User panel, choose one of the following methods to create a user whose username is the same as that of an LDAP user.

      Note

      Make sure that you use the same username. The password of the user that you are creating can be different from that of the LDAP user. Specify a password based on the on-screen instructions.

      Manually create users

      1. Click the Manual Entry tab.

      2. Select a user type based on your business requirements.

        Valid values: User-activated and Administrator-activated.

      3. Enter a username and click Create User.

        Repeat the above operation to import information about multiple users.

      Batch create users

      1. Click the Batch Entry tab.

      2. Select a user type based on your business requirements.

        Valid values: User-activated and Administrator-activated.

      3. Select one of the following methods to create a user information file:

        • Click Download to download a template for importing users. Open the template, enter user information in the format that is provided by the template, and then save the template.

          Note

          • If you want to create user-activated users, specify values in the first column Username and the second column Email in the template.

          • If you want to create administrator-activated users, specify the first column Username and the fourth column Password in the template.

        • Use Excel to open the template, enter user information, and then save the template as a .csv file.

      4. Click Select File to select the .csv file and follow the on-screen instructions to import users.

        After the file is imported to the EDS console, a message indicating that users are created appears in the Create User panel. Then, you can click View Account to check whether all users that you entered are imported. If you fail to import the file, check whether the user information in the file is in a valid format.

    4. Click Close.

      After you create the convenience user, you can view the user information on the User tab. The user is in the Normal state.

      Note

      The system does not send notifications when convenience users are created. It sends notifications to specified email addresses when you assign cloud computers or cloud computer pools to the users.

    What to do next

    If LDAP-based SSO is configured for your organization ID, end users can log on to Alibaba Cloud Workspace terminals only after they enter the valid organization ID and pass the LDAP identity verification.

    For more information about how to log on to Alibaba Cloud Workspace terminals, see Quick start