Microsoft

SSO to Office365 with NetScaler Unified Gateway

How-to configure SSO to Microsoft Office365 with Citrix NetScaler Unified Gateway

In this Blogpost I want to show you how-to configure Office365 as a SaaS Application in a Citrix NetScaler Unified Gateway. We will also make use of a SAML Based Authentication to realize a Single Sign-On experience. To get this working it is necessary that your Office365 Account is configured as a SAML Service Provider. I blogged about how to do this here, so I will move directly to the interesting part. :)

We start by creating the needed SAML SSO Profile. Go to NetScaler Gateway -> Policies -> Traffic and switch to the last Tab which is called SAML SSO Profiles. You will see that this SAML SSO Profile looks like your SAML IdP Profile except one small difference. The Relay State Expression. As Ingmar Verheij already explained in his Blog about SSO to Sharefile with Unified Gateway it doesn´t matter which  expression you are working with as long as it has a correct syntax. The rest of those Values should match your SAML IdP Policy or at least work with your Office365 configuration. My SAML SSO Profile does contain this values:

  • Assertion Consumer Service Url: https://login.microsoftonline.com/login.srf
  • Relay State Expression: HTTP.REQ.COOKIE
  • Signing Certificate Name: Select your Certificate which you are using to sign the SAML Responses/Requests.
  • Issuer Name: Your external URL of your Unified Gateway https://gateway.domain.com/saml/login
  • Audience: urn:federation:MicrosoftOnline
  • And make sure you set the Attribute1 Value to mail.

SSO Office365 NetScaler Unified Gateway

SSO Office365 NetScaler Unified Gateway

In the second Step we will create the Microsoft Office365 SaaS Application. Go to NetScaler Gateway ->Resources -> Bookmarks. After you hit Add you have to enter a Name and Display Name. Under Bookmark you have to enter the Microsoft Office365 Login Page. I do work here with https://portal.office.com. Select SaaS as the Application Type and select SAML Based Authentication as the SSO Type. Under SAML SSO Profile you have to select your SAML SSO Profile which you created a few moments ago.

SSO Office365 NetScaler Unified Gateway

To finish the configuration you only have to bind the newly created Bookmark to your Citrix NetScaler Unified Gateway. You will do this in your Unified Gateway vServer under Published Applications->URL

SSO Office365 NetScaler Unified Gateway

SSO Office365 NetScaler Unified Gateway

If you open your Unified Gateway and login you should the Office365 SaaS Application. As soon as you start the Application, you will see your Office356 Landingpage without entering any Credentials.

SSO Office365 NetScaler Unified Gateway

 

About Jens

My name is Jens Trendelkamp. I currently work as an IT Consultant at sepago GmbH. My fields of specialty are Application Delivery, SBC\VDI Solutions and Enterprise Mobility based on Products from Microsoft and Citrix.

NetScaler as a SAML IdP for Office 365

How-to configure Citrix NetScaler as a SAML Identity Provider for Microsoft Office 365

Since I got some spare time I thought it would be cool to upgrade my Lab Environment and add the SAML Identity Provider Role to my Citrix NetScaler so that my Microsoft Office365 Account would be able to authenticate against the Citrix NetScaler IdP.

Before we start this little how-to, I assume that you already got a Citrix NetScaler up and running. The same goes for your Microsoft Office365 Account and the sync of your Users between your On-Premise Active Directory and the Azure Active Directory. DirSync and Azure AD Connect are both fine. You will need a Citrix NetScaler AAA vServer or a Citrix NetScaler Gateway vServer which is public available through SSL and a SSL Certificate which is trusted by a public CA. Additional you need another SSL Certificate which will be used to sign the SAML Tokens. This Certificate can be self signed or you can use the same public Certificate which is used for the AAA / Gateway vServer. It´s up to you.

Let´s start with the Citrix NetScaler Part. First we create a AAA or Gateway vServer. Make it public available and bind the public SSL Certificate to the vServer. Because I’m quite limited on public IPs and it´s not possible to bind more than one VPN Server to a Content Switch, I am “forced” to use my NetScaler Unified Gateway.

We have to create an LDAP Server and an LDAP Policy. The important part here is that you have to set a Value for Attribute 1. With this setting the Mail Address will be extracted from LDAP Request, which is needed by Microsoft Office 365. My LDAP Server looks like this:

NetScaler as an SAML IdP for Office 365

NetScaler as an SAML IdP for Office 365

You also have to create a LDAP Policy and bind the created LDAP Server to it. Nothing fancy here :)

NetScaler as an SAML IdP for Office 365

In the next step we will create the SAML IdP Profile. Go to Security -> AAA – Application Traffic -> Policies -> Authentication -> Basic Polices -> SAML IdP and switch to the Profiles Tab. You need to create a Profile like this:

NetScaler as an SAML IdP for Office 365NetScaler as an SAML IdP for Office 365

The complete URL within Assertion Consumer Service URL is https://login.microsoftonline.com/login.srf. In the IDP Certificate Name you will have to choose your SSL Certificate with which you will sign your SAML Tokens. Make sure the Private Key for this Certificate is present on the NetScaler! The Issuer Name should represent the Public URL of your AAA / Gateway Server. https://aaa.fqdn.com/saml/ replace aaa.fqdn.com with your public AAA / Gateway vServer. The other Values should match the Screenshots.

Of course we have to create the corresponding Policy.

NetScaler as an SAML IdP for Office 365

Because it´s possible to bind multiple SAML IdP Policies to one AAA / Gateway Server which most certainly have different settings, I do check the Referer if it matches the Microsoft Login Page. This way you are able to create different SAML Identity Provider for different Service Providers with only one AAA / Gateway. To end the NetScaler Configuration Part it is necessary to bind the LDAP Policy and the SAML IdP Policy to our vServer. Make sure the SAML IdP Policy has the lower Priority. Your AAA / Gateway vServer should look something like this:

NetScaler as an SAML IdP for Office 365

NetScaler as an SAML IdP for Office 365NetScaler as an SAML IdP for Office 365

We will now switch to the Microsoft Office365 Part. You need to open the Windows Azure Active Directory Modul for Windows Powershell. Connect to your Azure AD using the command Connect-MsolService. In Case your Domain is already Federated to have to undo this. You do this by set the Authentication back to Managed Set-MsolDomainAuthentication -DomainName domain.com -Authentication Managed. After that it is possible to Convert the Domain back to Standard with the following command Convert-MSOLDomainToStandard –DomainName domain.com -SkipUserConversion $false -PasswordFile c:\userpasswords.txt. For more Information please read this Microsoft Documentation

We will set a few variables in the Powershell Session:

  • $url = “https://aaa.fqdn.com/saml/login”
  • $uri = “https://aaa.fqdn.com /saml/login”
  • $ecpUrl = “https:// aaa.fqdn.com /saml/login”
  • $dom = “fqdn.com”
  • $fedBrandName = “Company Name”
  • $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2(“C:\pathtocertificate\certificate.cer”) $certData = [system.convert]::tobase64string($cert.rawdata)

You will have to replace aaa.fqdn.com with the URL of you AAA / Gateway vServer. Now you have to run the following command to switch your Domain to use your SAML IdP                                   Set-MsolDomainAuthentication -DomainName $dom -federationBrandName $fedBrandName -Authentication Federated -PassiveLogOnUri $url -SigningCertificate $certData -IssuerUri $uri -ActiveLogOnUri $ecpUrl -LogOffUri $url –PreferredAuthenticationProtocol SAMLP

After a few Moments the changes should have been applied and Microsoft Online will redirect you to your AAA / Gateway vServer for Authentication :)

 

Some Tips and Resources:

About Jens

My name is Jens Trendelkamp. I currently work as an IT Consultant at sepago GmbH. My fields of specialty are Application Delivery, SBC\VDI Solutions and Enterprise Mobility based on Products from Microsoft and Citrix.

Securing the Exchange Control Panel

Securing the Exchange Control Panel using Netscaler Application Firewall

For this Blogpost I assume that you are already Load Balancing your Exchange Servers by using the NetScaler. If not you can find here a great Deployment Guide by Citrix. In my Lab Environment I also use Content Switching. So eventually you have to adjust the Virtual Server where you will bind your Application Firewall Policy to. Let´s start!

Navigate to Security -> Application Firewall -> Profiles

Exchange Control Panel

Here we will create a new Application Firewall Profile. Enter a Profile Name as you like and click “Create”.

Exchange Control Panel

Double Click that new created Profile and switch to the Security Checks Tab. Again Double Click Deny URL. Add a new Deny URL and enter the following Syntax: “^[^?]*/ecp” without quotes and mark the “Enabled” Check Box. In the General Tab enable at least the Block Check Box. Press OK.

Exchange Control PanelExchange Control PanelExchange Control Panel

 

Within the “Configure Web Application Firewall Profile” Window switch to the Settings Tab. You can specify here what will happen if /ecp will be accessed. In my setup i decided to redirect the Person to my Blog. Obviously you can create a HTML Website and upload it to the NetScaler.

Exchange Control Panel

After we successfully created a Profile we have to create a Policy and bind the Profile to Policy. To do this we switch to the Menu Security -> Application Firewall -> Policies -> Firewall. Here we click “Add”. Choose an appropriate name for the Policy. After that select the created Profile from the Dropdown Menu and as an expression simply enter “true”. Press OK.

Exchange Control Panel

Exchange Control Panel

To finish the setup we have to bind the Profile to an vServer, Content Switch vServer or Globally. In my Lab I decided to apply this Policy to the Content Switch vServer. We do this by starting the Application Firewall Policy Manager. You will find this Tool under Security -> Application Firewall -> Application Firewall Policy Manager. Switch to the Tab “CS Virtual Server”. Double Click your Content Switch vServer and insert your Policy. Click Apply Change and you are done. You can now start to test your newly created Application Firewall and try to access the Exchange Control Panel.

Exchange Control Panel

About Jens

My name is Jens Trendelkamp. I currently work as an IT Consultant at sepago GmbH. My fields of specialty are Application Delivery, SBC\VDI Solutions and Enterprise Mobility based on Products from Microsoft and Citrix.

By continuing to use the site, you agree to the use of cookies. More information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close