Unified Gateway

SSO to Office365 with NetScaler Unified Gateway

How-to configure SSO to Microsoft Office365 with Citrix NetScaler Unified Gateway

In this Blogpost I want to show you how-to configure Office365 as a SaaS Application in a Citrix NetScaler Unified Gateway. We will also make use of a SAML Based Authentication to realize a Single Sign-On experience. To get this working it is necessary that your Office365 Account is configured as a SAML Service Provider. I blogged about how to do this here, so I will move directly to the interesting part. :)

We start by creating the needed SAML SSO Profile. Go to NetScaler Gateway -> Policies -> Traffic and switch to the last Tab which is called SAML SSO Profiles. You will see that this SAML SSO Profile looks like your SAML IdP Profile except one small difference. The Relay State Expression. As Ingmar Verheij already explained in his Blog about SSO to Sharefile with Unified Gateway it doesn´t matter which  expression you are working with as long as it has a correct syntax. The rest of those Values should match your SAML IdP Policy or at least work with your Office365 configuration. My SAML SSO Profile does contain this values:

  • Assertion Consumer Service Url: https://login.microsoftonline.com/login.srf
  • Relay State Expression: HTTP.REQ.COOKIE
  • Signing Certificate Name: Select your Certificate which you are using to sign the SAML Responses/Requests.
  • Issuer Name: Your external URL of your Unified Gateway https://gateway.domain.com/saml/login
  • Audience: urn:federation:MicrosoftOnline
  • And make sure you set the Attribute1 Value to mail.

SSO Office365 NetScaler Unified Gateway

SSO Office365 NetScaler Unified Gateway

In the second Step we will create the Microsoft Office365 SaaS Application. Go to NetScaler Gateway ->Resources -> Bookmarks. After you hit Add you have to enter a Name and Display Name. Under Bookmark you have to enter the Microsoft Office365 Login Page. I do work here with https://portal.office.com. Select SaaS as the Application Type and select SAML Based Authentication as the SSO Type. Under SAML SSO Profile you have to select your SAML SSO Profile which you created a few moments ago.

SSO Office365 NetScaler Unified Gateway

To finish the configuration you only have to bind the newly created Bookmark to your Citrix NetScaler Unified Gateway. You will do this in your Unified Gateway vServer under Published Applications->URL

SSO Office365 NetScaler Unified Gateway

SSO Office365 NetScaler Unified Gateway

If you open your Unified Gateway and login you should the Office365 SaaS Application. As soon as you start the Application, you will see your Office356 Landingpage without entering any Credentials.

SSO Office365 NetScaler Unified Gateway

 

About Jens

My name is Jens Trendelkamp. I currently work as an IT Consultant at sepago GmbH. My fields of specialty are Application Delivery, SBC\VDI Solutions and Enterprise Mobility based on Products from Microsoft and Citrix.

NetScaler as a SAML IdP for Office 365

How-to configure Citrix NetScaler as a SAML Identity Provider for Microsoft Office 365

Since I got some spare time I thought it would be cool to upgrade my Lab Environment and add the SAML Identity Provider Role to my Citrix NetScaler so that my Microsoft Office365 Account would be able to authenticate against the Citrix NetScaler IdP.

Before we start this little how-to, I assume that you already got a Citrix NetScaler up and running. The same goes for your Microsoft Office365 Account and the sync of your Users between your On-Premise Active Directory and the Azure Active Directory. DirSync and Azure AD Connect are both fine. You will need a Citrix NetScaler AAA vServer or a Citrix NetScaler Gateway vServer which is public available through SSL and a SSL Certificate which is trusted by a public CA. Additional you need another SSL Certificate which will be used to sign the SAML Tokens. This Certificate can be self signed or you can use the same public Certificate which is used for the AAA / Gateway vServer. It´s up to you.

Let´s start with the Citrix NetScaler Part. First we create a AAA or Gateway vServer. Make it public available and bind the public SSL Certificate to the vServer. Because I’m quite limited on public IPs and it´s not possible to bind more than one VPN Server to a Content Switch, I am “forced” to use my NetScaler Unified Gateway.

We have to create an LDAP Server and an LDAP Policy. The important part here is that you have to set a Value for Attribute 1. With this setting the Mail Address will be extracted from LDAP Request, which is needed by Microsoft Office 365. My LDAP Server looks like this:

NetScaler as an SAML IdP for Office 365

NetScaler as an SAML IdP for Office 365

You also have to create a LDAP Policy and bind the created LDAP Server to it. Nothing fancy here :)

NetScaler as an SAML IdP for Office 365

In the next step we will create the SAML IdP Profile. Go to Security -> AAA – Application Traffic -> Policies -> Authentication -> Basic Polices -> SAML IdP and switch to the Profiles Tab. You need to create a Profile like this:

NetScaler as an SAML IdP for Office 365NetScaler as an SAML IdP for Office 365

The complete URL within Assertion Consumer Service URL is https://login.microsoftonline.com/login.srf. In the IDP Certificate Name you will have to choose your SSL Certificate with which you will sign your SAML Tokens. Make sure the Private Key for this Certificate is present on the NetScaler! The Issuer Name should represent the Public URL of your AAA / Gateway Server. https://aaa.fqdn.com/saml/ replace aaa.fqdn.com with your public AAA / Gateway vServer. The other Values should match the Screenshots.

Of course we have to create the corresponding Policy.

NetScaler as an SAML IdP for Office 365

Because it´s possible to bind multiple SAML IdP Policies to one AAA / Gateway Server which most certainly have different settings, I do check the Referer if it matches the Microsoft Login Page. This way you are able to create different SAML Identity Provider for different Service Providers with only one AAA / Gateway. To end the NetScaler Configuration Part it is necessary to bind the LDAP Policy and the SAML IdP Policy to our vServer. Make sure the SAML IdP Policy has the lower Priority. Your AAA / Gateway vServer should look something like this:

NetScaler as an SAML IdP for Office 365

NetScaler as an SAML IdP for Office 365NetScaler as an SAML IdP for Office 365

We will now switch to the Microsoft Office365 Part. You need to open the Windows Azure Active Directory Modul for Windows Powershell. Connect to your Azure AD using the command Connect-MsolService. In Case your Domain is already Federated to have to undo this. You do this by set the Authentication back to Managed Set-MsolDomainAuthentication -DomainName domain.com -Authentication Managed. After that it is possible to Convert the Domain back to Standard with the following command Convert-MSOLDomainToStandard –DomainName domain.com -SkipUserConversion $false -PasswordFile c:\userpasswords.txt. For more Information please read this Microsoft Documentation

We will set a few variables in the Powershell Session:

  • $url = “https://aaa.fqdn.com/saml/login”
  • $uri = “https://aaa.fqdn.com /saml/login”
  • $ecpUrl = “https:// aaa.fqdn.com /saml/login”
  • $dom = “fqdn.com”
  • $fedBrandName = “Company Name”
  • $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2(“C:\pathtocertificate\certificate.cer”) $certData = [system.convert]::tobase64string($cert.rawdata)

You will have to replace aaa.fqdn.com with the URL of you AAA / Gateway vServer. Now you have to run the following command to switch your Domain to use your SAML IdP                                   Set-MsolDomainAuthentication -DomainName $dom -federationBrandName $fedBrandName -Authentication Federated -PassiveLogOnUri $url -SigningCertificate $certData -IssuerUri $uri -ActiveLogOnUri $ecpUrl -LogOffUri $url –PreferredAuthenticationProtocol SAMLP

After a few Moments the changes should have been applied and Microsoft Online will redirect you to your AAA / Gateway vServer for Authentication :)

 

Some Tips and Resources:

About Jens

My name is Jens Trendelkamp. I currently work as an IT Consultant at sepago GmbH. My fields of specialty are Application Delivery, SBC\VDI Solutions and Enterprise Mobility based on Products from Microsoft and Citrix.

NetScaler Gateway Single Sign-On to Storefront in Clientless Access Mode

Step By Step Guide to Single Sign-On to Storefront in Clientless Access Mode

While playing in my Lab with the Citrix NetScaler Unified Gateway I encountered the following problem. Within Clientless Access mode I could not access the Storefront Server. To be honest it wasn’t working at all.
Google Chrome showed me the following screen

NetScaler Gateway Frame Error

While the Internet Explorer gave me at least an error.

NetScaler Gateway Frame Error

Since the ICA Proxy Mode worked very well I started digging :)  Thanks to Maik Steppeler from Citrix who helped with the last missing piece of this jigsaw! I assume you have the NetScaler Gateway & the Storefront up and running. I assume also that you have everything configured till a point where “it should be working” 😉 If not please ping me.

At first we start on the Storefront Server(s). We navigate to the web.config file within your Webstore Folder. Something like this C:\inetpub\wwwroot\Citrix\YourStoreWeb.

You will find the followings entry three times:

<add name=”X-Frame-Options” value=”deny” />
<add name=”Content-Security-Policy” value=”frame-ancestors ‘none'” />

If you are only using the Internet Explorer you have to change the Value within “<add name=”X-Frame-Options” value=”deny” />” from deny to allow. If you and your user are also using Chrome or FireFox you will also have to change <add name=”Content-Security-Policy” value=”frame-ancestors ‘none'” /> from none to self.

After editing it should look like this:

Storefront web.config Fix Frame Error

Now restart you IIS. Also make sure you enabled Remote Access in your Storefront Store.

Storefront Remote Access

We are now switching to the NetScaler. Within the NetScaler change to your Session Profile and enable “Single Sign-on to Web Applications” if this is not already enabled.

NetScaler Signle Sign-on to Web Applications

Go back to the Global Settings of the NetScaler Gateway and go to “Configure Domains for Clientless Access”

NetScaler Gateway Global Options

And under “Allow Domains” add your local Domain.

NetScaler Gateway Allow Domains Clientless Access

That’s it! If you now login and change to your Application section you will see your Applications published through Storefont without providing additional credentials!

Single Sign-On to Storefront in Clientless Access Mode

 

About Jens

My name is Jens Trendelkamp. I currently work as an IT Consultant at sepago GmbH. My fields of specialty are Application Delivery, SBC\VDI Solutions and Enterprise Mobility based on Products from Microsoft and Citrix.

By continuing to use the site, you agree to the use of cookies. More information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close