Elastic Desktop Service (EDS) supports Security Assertion Markup Language (SAML) 2.0-based single sign-on (SSO), letting end users access EDS terminals through your existing identity provider (IdP) without entering separate EDS credentials. To enable this, you establish mutual trust between EDS (acting as the service provider, or SP) and your IdP by exchanging metadata on both sides.
EDS supports SAML-based SSO in two deployment contexts:
Office network: SSO is scoped to a specific office network. After you enable SSO, the EDS terminal logon page for that network is replaced by the IdP logon page.
Organization: SSO applies across the entire organization through an enterprise identity source.
Prerequisites
Before you begin, make sure you have:
An IdP that supports SAML 2.0 (such as Azure AD, AD FS, or IDaaS)
Administrator access to both the EDS console and your IdP
For office network SSO: an EDS office network with SSO ready to enable
For organization SSO: access to Users & Logons > Enterprise Identity Sources in the EDS console
Configure SSO for an office network
Configuring office network SSO involves three steps: registering EDS as a trusted SP in your IdP, uploading the IdP metadata to EDS, and creating a matching user account.
Step 1: Register EDS as a trusted SP in your IdP
Log on to the EDS console.
In the left-side navigation pane, choose Networks & Storage > Office Networks.
In the upper-left corner of the top navigation bar, select a region.
On the Office Networks page, find the office network for which you want to enable SSO, and click the office network ID.
On the office network details page, find the Other Information section, click Show to expand it, and then click Download Metadata File to the right of Application Metadata.
In your IdP, create a SAML SP application and import the downloaded metadata file to register EDS as a trusted SP.
Step 2: Upload IdP metadata to EDS
In the Other Information section of the office network details page, turn on SSO.
After you enable SSO, the EDS terminal logon page for this office network is replaced by the IdP logon page. End users will log on through the IdP instead of entering EDS credentials. Communicate this change to users before enabling SSO.
Click Upload File to the right of IdP Metadata, and upload the IdP metadata file.
The metadata file is an XML document containing the IdP logon address and an X.509 certificate. EDS uses this certificate to verify the validity of SAML assertions issued by the IdP.
Step 3: Create a matching user account
Create a user in the EDS console whose username matches the corresponding IdP user. For details, see Create a convenience account or the Create enterprise AD accounts section of the "Create and manage enterprise AD accounts" topic.
The EDS user password can differ from the IdP user password, even when both accounts share the same username.
Configure SSO for an organization
Configuring organization SSO also involves three steps, but the order is reversed: you first add the IdP as a trusted identity source in EDS, then register EDS as a trusted SP in the IdP, and finally create a matching user account.
Step 1: Add the IdP as a trusted identity source in EDS
In the left-side navigation pane, choose Users & Logons > Enterprise Identity Sources.
On the Enterprise Identity Sources page, add the IdP:
If no enterprise identity source exists, click SAML.
If an enterprise identity source already exists, click Add Enterprise Identity Source in the upper-left corner, and then click SAML in the Add Enterprise Identity Source panel.
In the Add Enterprise Identity Source panel, configure the following parameters and click Confirm.
| Parameter | Description |
|---|---|
| Enterprise Identity Source Name | A name to identify this IdP in EDS. |
| Enterprise Identity Source Type | Select SAML. |
| IdP Metadata | Click Upload File to upload the IdP metadata file. |
| User Account Type | Select Convenience Account or Enterprise AD Account. If you select Enterprise AD Account, also select the AD domain name. |
Step 2: Register EDS as a trusted SP in your IdP
In the left-side navigation pane, choose Users & Logons > Enterprise Identity Sources.
On the Enterprise Identity Sources page, find the identity source you just added and click Edit in the Actions column.
In the Edit Enterprise Identity Source panel, click Download File below Application Metadata.
In your IdP, create a SAML SP application and import the downloaded metadata file to register EDS as a trusted SP.
Step 3: Create a matching user account
Create a user in the EDS console whose username matches the corresponding IdP user. For details, see Create a convenience account or the Create enterprise AD accounts section of the "Create and manage enterprise AD accounts" topic.
The EDS user password can differ from the IdP user password, even when both accounts share the same username.
What's next
For end-to-end configuration examples with specific IdPs, see:
For an overview of logon methods, see Configure logon methods.