How-to configure SSO to Microsoft Office365 with Citrix NetScaler Unified Gateway
In this Blogpost I want to show you how-to configure Office365 as a SaaS Application in a Citrix NetScaler Unified Gateway. We will also make use of a SAML Based Authentication to realize a Single Sign-On experience. To get this working it is necessary that your Office365 Account is configured as a SAML Service Provider. I blogged about how to do this here, so I will move directly to the interesting part. 🙂
We start by creating the needed SAML SSO Profile. Go to NetScaler Gateway -> Policies -> Traffic and switch to the last Tab which is called SAML SSO Profiles. You will see that this SAML SSO Profile looks like your SAML IdP Profile except one small difference. The Relay State Expression. As Ingmar Verheij already explained in his Blog about SSO to Sharefile with Unified Gateway it doesn´t matter which expression you are working with as long as it has a correct syntax. The rest of those Values should match your SAML IdP Policy or at least work with your Office365 configuration. My SAML SSO Profile does contain this values:
- Assertion Consumer Service Url: https://login.microsoftonline.com/login.srf
- Relay State Expression: HTTP.REQ.COOKIE
- Signing Certificate Name: Select your Certificate which you are using to sign the SAML Responses/Requests.
- Issuer Name: Your external URL of your Unified Gateway https://gateway.domain.com/saml/login
- Audience: urn:federation:MicrosoftOnline
- And make sure you set the Attribute1 Value to mail.
In the second Step we will create the Microsoft Office365 SaaS Application. Go to NetScaler Gateway ->Resources -> Bookmarks. After you hit Add you have to enter a Name and Display Name. Under Bookmark you have to enter the Microsoft Office365 Login Page. I do work here with https://portal.office.com. Select SaaS as the Application Type and select SAML Based Authentication as the SSO Type. Under SAML SSO Profile you have to select your SAML SSO Profile which you created a few moments ago.
To finish the configuration you only have to bind the newly created Bookmark to your Citrix NetScaler Unified Gateway. You will do this in your Unified Gateway vServer under Published Applications->URL
If you open your Unified Gateway and login you should the Office365 SaaS Application. As soon as you start the Application, you will see your Office356 Landingpage without entering any Credentials.