SSO to Office365 with NetScaler Unified Gateway

How-to configure SSO to Microsoft Office365 with Citrix NetScaler Unified Gateway

In this Blogpost I want to show you how-to configure Office365 as a SaaS Application in a Citrix NetScaler Unified Gateway. We will also make use of a SAML Based Authentication to realize a Single Sign-On experience. To get this working it is necessary that your Office365 Account is configured as a SAML Service Provider. I blogged about how to do this here, so I will move directly to the interesting part. 🙂

We start by creating the needed SAML SSO Profile. Go to NetScaler Gateway -> Policies -> Traffic and switch to the last Tab which is called SAML SSO Profiles. You will see that this SAML SSO Profile looks like your SAML IdP Profile except one small difference. The Relay State Expression. As Ingmar Verheij already explained in his Blog about SSO to Sharefile with Unified Gateway it doesn´t matter which  expression you are working with as long as it has a correct syntax. The rest of those Values should match your SAML IdP Policy or at least work with your Office365 configuration. My SAML SSO Profile does contain this values:

  • Assertion Consumer Service Url: https://login.microsoftonline.com/login.srf
  • Relay State Expression: HTTP.REQ.COOKIE
  • Signing Certificate Name: Select your Certificate which you are using to sign the SAML Responses/Requests.
  • Issuer Name: Your external URL of your Unified Gateway https://gateway.domain.com/saml/login
  • Audience: urn:federation:MicrosoftOnline
  • And make sure you set the Attribute1 Value to mail.

SSO Office365 NetScaler Unified Gateway

SSO Office365 NetScaler Unified Gateway

In the second Step we will create the Microsoft Office365 SaaS Application. Go to NetScaler Gateway ->Resources -> Bookmarks. After you hit Add you have to enter a Name and Display Name. Under Bookmark you have to enter the Microsoft Office365 Login Page. I do work here with https://portal.office.com. Select SaaS as the Application Type and select SAML Based Authentication as the SSO Type. Under SAML SSO Profile you have to select your SAML SSO Profile which you created a few moments ago.

SSO Office365 NetScaler Unified Gateway

To finish the configuration you only have to bind the newly created Bookmark to your Citrix NetScaler Unified Gateway. You will do this in your Unified Gateway vServer under Published Applications->URL

SSO Office365 NetScaler Unified Gateway

SSO Office365 NetScaler Unified Gateway

If you open your Unified Gateway and login you should the Office365 SaaS Application. As soon as you start the Application, you will see your Office356 Landingpage without entering any Credentials.

SSO Office365 NetScaler Unified Gateway

 

4 Responses to “SSO to Office365 with NetScaler Unified Gateway”

  1. […] SSO to Office365 with NetScaler Unified Gateway […]

  2. Marcel says:

    Hello,

    Nice article!

    If the netscaler if federated with adfs when logging on to the netscaler, what setup will be used for the SSO_profile. In my case the office365 tenant is also federated, both by the same federation server (afds).

    Regards,

    Marcel

  3. Your blog is nearly correct, it won’t work 😉 I have the solution for the single sign-on with Office365.. Your missing the crucial attribute, but i think you might know what this is right. The NameID cannot be the user.name ….

    Regards,

    Marcel

  4. Alexandra says:

    This shows real exrpetise. Thanks for the answer.

Leave a Reply

Your email address will not be published.

By continuing to use the site, you agree to the use of cookies. More information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close