All Products
Search

This Product

    WUYING Workspace:Configure SAML-based SSO

    Document Center

    WUYING Workspace:Configure SAML-based SSO

    Last Updated:May 06, 2024

    To establish a mutual trust between WUYING Workspace and identity providers (IdPs), you must configure Security Assertion Markup Language (SAML) settings between IdPs and service providers (SPs). In this topic, WUYING Workspace acts as an SP. Then, your end users can implement single sign-on (SSO) when they log on to WUYING terminals. This topic describes how to integrate SAML 2.0-based SSO for WUYING Workspace.

    Background

    Single sign-on (SSO) is a secure communication technology that allows you to efficiently access multiple trusted application systems with a single sign-on. SSO implements logon based on identity federation.

    For more information, see SSO.

    Configuration process

    To establish a mutual trust between WUYING Workspace and an IdP, you must configure the two parties to exchange SAML metadata files. The following information describes how to configure SSO.WUYING Workspace

    1. To configure the trust on WUYING Workspace for an IdP, you must configure WUYING Workspace as a trusted SAML SP in the IdP.

    2. To configure the trust on the IdP for WUYING Workspace, you must configure the IdP as a trusted SAML IdP in WUYING Workspace.

    3. After the trust relationship is established between the IdP and WUYING Workspace, you must create users that match the IdP users in the WUYING Workspace console.

      In actual business scenarios, you can first configure mutual trusts between SPs and IdPs and then create users that match the IdP users in the WUYING Workspace console, or vice versa.

    Procedure

    The following section describes how to specify WUYING Workspace as a trusted SAML SP in an IdP and how to specify an IdP as a trusted SAML IdP in WUYING Workspace. In the following section, SAML 2.0 is used.

    Step 1: Specify WUYING Workspace as a trusted SAML SP in an IdP

    1. Obtain the SAML SP metadata file in the WUYING Workspace console.

      3. On the Office Network (Formerly Workspace) page, find the office network for which you want to enable SSO and click the ID of the office network.

      4. In the left-side navigation pane of the office network details page, click the Other tab.

      5. In the Other section, click Download Metadata File to the right of Application Metadata.

    2. Create a SAML SP in the IdP and use the metadata file obtained in Step 1 to specify WUYING Workspace as a trusted SAML SP.

    Step 2: Specify a trusted SAML IdP in WUYING Workspace

    3. On the Office Network (Formerly Workspace) page, find the office network for which you want to enable SSO and click the ID of the office network.

    4. In the left-side navigation pane of the office network details page, click the Other tab.

    5. In the Other section, configure SSO settings.

      • SSO: Enable or disable the SSO feature based on your business requirements.

        • By default, the SSO feature is disabled. When end users connect to cloud computers in the office network, SSO settings do not take effect.

        • If you enable the feature for the office network, end users are redirected to the IdP logon page for identity authentication without the need to enter usernames and passwords. If you disable the feature for the office network, end users can use only usernames and passwords to connect to cloud computers in the office network.

      • IdP Metadata: Click Upload File to upload the metadata file that is provided by the IdP.

        Note

        IdPs provide the metadata file with the .xml extension. The .xml file contains the logon service address of the IdP and the X.509 public key certificate that is used to check the validity of the SAML assertion that is issued by the IdP.

        If the status of the IdP Metadata parameter is Completed, the IdP is specified as a trusted SAML IdP.

    Step 3: Create a user that matches an IdP user

    Create a user that matches an IdP user in the WUYING Workspace console. For more information, see Create a convenience user or Create an AD user.

    Note

    When you create a user, you can specify a password for the user. The password of the user can be different from that of the IdP user with the same name.

    What to do next

    After SSO is configured, an end user can use the username and the password to log on to a WUYING terminal after the user identity is authenticated. The following section describes how to log on to the Alibaba Cloud Workspace client by using the information about an IdP user. In this section, the Windows client of Alibaba Cloud Workspace is used as an example.

    1. Launch the Windows client.

    2. On the Enterprise Edition page, enter the ID of the office network for which SSO is enabled.

    3. On the IdP logon page, enter information about the IdP user, including the username and password, and click Log On.

      After you log on to the client, cloud computers in the office network are displayed as cards. Find the cloud computer that you want to manage and click Connect Cloud Computer.

    References

    For more information about how to implement SSO between WUYING Workspace and an IdP, see the sample SSO configurations in the following topics: