WUYING Workspace supports single sign-on (SSO) by using Azure Active Directory (AD) and Active Directory Federation Service (AD FS) as identity providers (IdPs) to accelerate access to cloud computers in WUYING Workspace for users.
Introduction
Single sign-on (SSO) is a secure communication technology that allows you to efficiently access multiple trusted application systems with a single sign-on. SSO implements logon based on identity federation.
The following terms are frequently used in SSO scenarios:
Identity provider (IdP): an entity that contains the metadata of an external identity provider. An IdP provides identity management services, collects and stores user identity information such as usernames and passwords, and verifies user identities on user logons.
Common IdPs:
On-premises IdPs: use on-premises architecture, such as Microsoft Active Directory Federation Service (AD FS) and Shibboleth.
Cloud IdP: Azure AD, Google Workspace, Okta, and OneLogin.
Service provider (SP): an application that uses the identity management feature of an IdP to provide users with specific services based on trust relationships with IdPs. In specific identity systems that do not comply with the Security Assertion Markup Language (SAML) protocol, such as OpenID Connect (OIDC), SP is the relying party of an IdP.
SAML 2.0: a standard protocol for user identity authentication for enterprises. It is one of the technical implementations for communication between SPs and IdPs. SAML is a de facto standard that is used by enterprises to implement SSO.
To implement SSO between WUYING Workspace and IdPs, you must establish a trust relationship between WUYING Workspace and the IdPs by exchanging metadata files between them. For specific operations on how to configure Security Assertion Markup Language (SAML)-based SSO, see Configure SAML-based SSO.
Limits on WUYING terminals
The following WUYING terminals support SSO:
Windows clients
macOS clients
web clients
Scenarios
You want to initiate logon on the logon page of the WUYING Workspace client, instead of the logon page of an IdP. In this scenario, you can configure SSO based on your business requirements. The following table describes the scenarios and the configurations that are required to implement SSO between WUYING Workspace and common IdPs.
Scenario | Description | Reference |
Users can quickly log on to WUYING terminals to access cloud computers after their logon credentials are authenticated in Azure AD. | If you use Azure AD to manage users, you can create convenience users whose usernames are the same as those of AD users in Azure AD to implement SSO for WUYING Workspace. In this case, WUYING Workspace acts as an SP, and Azure AD acts as an IdP. The providers exchange metadata files to enable SAML-based SSO. After you configure SSO, users can access cloud computers by using the same credentials in Azure AD. | |
If you want to connect to enterprise AD systems, you can create convenience users based on the information about AD users in AD FS to implement SSO for WUYING Workspace. After you create the convenience users, the users can quickly log on to WUYING terminals to access cloud computers after their logon credentials are authenticated in AD FS. | If your enterprise uses Active Directory Domain Services (AD DS) to manage users, you can configure SSO for WUYING Workspace by using AD FS. In this scenario, WUYING Workspace acts as an SP and AD FS acts as an IdP. The providers exchange metadata files to implement SAML-based SSO. After you configure SSO, users can access cloud computers by using the same credentials as in AD FS. |