SSO Office 365 StyleBook 编辑
SSO Office 365 StyleBook
Microsoft™ Office 365 is a suite of cloud-based productivity and collaboration applications provided by Microsoft on a subscription basis. It includes Microsoft’s popular server-based applications such as Exchange, SharePoint, Office, and Skype for Business. Single Sign-On (SSO) enables users to access all their enterprise cloud applications:
- Including administrators signing in to the admin console
- One-time sign on for all Microsoft Office 365 services using their enterprise credentials.
The SSO Office 365 StyleBook allows you to enable SSO for Microsoft Office 365 through Citrix ADC instances. You can now configure SAML authentication with Citrix ADC as the SAML Identity Provider (IdP) and Microsoft Office 365 as the SAML service provider.
Enabling SSO for Microsoft Office 365 in a Citrix ADC instance using this StyleBook involves the following steps:
- Configuring the authentication virtual server
- Configuring a SAML IdP policy and profile
- Binding the policy and profile to the authentication virtual server
- Configuring an LDAP authentication server and policy on the instance
- Binding the LDAP authentication server and policy to your authentication virtual server configured on the instance.
The table lists the minimum required software versions for this integration to work successfully. The integration process also supports higher versions of the same.
Product | Minimum Required Version |
---|---|
Citrix ADC | 11.0, Advanced/Premium License |
The following instructions assume that you have already created the appropriate external and internal DNS entries. These entries are essential to route authentication requests to a Citrix ADC-monitored IP address.
The following instructions assist you in implementing the SSO Office 365 StyleBook in your business network.
To deploy SSO Microsoft Office 365 StyleBook
- In Citrix ADM, navigate to Applications > Configuration > StyleBooks. The StyleBooks page displays all the StyleBooks available for your use in Citrix ADM. Scroll down and find SSO Office 365 StyleBook. Click Create Configuration.
- The StyleBook opens as a user interface page on which you can enter the values for all the parameters defined in this StyleBook.
- Enter values for the following parameters:
Application Name. Name of the SSO Microsoft Office 365 configuration to deploy in your network.
Authentication Virtual IP address. Virtual IP address to be used by the Citrix ADC AAA virtual server to which the Microsoft Office 365 SAML IdP policy is bound.
In SSL Certificates Settings section, enter the names of the SSL certificate and the certificate key.
Note
This is not the Office 365 service provider certificate. This SSL certificate is bound to the virtual authentication server on the Citrix ADC instance.
Select the respective files from your local storage folder. You can also type in the private key password to load encrypted private keys in PEM format.
You can also enable Advanced Certificate Settings check box. Here you can enter details such as certificate expiry notification period, enable or disable the certificate expiry monitor.
Optionally, you can select SSL CA Certificate for the authentication virtual IP check box if the SSL certificate requires a CA public certificate to be installed on Citrix ADC. Make sure you choose “Is a CA Certificate” in the above Advanced Certificate Settings section.
In LDAP Settings for SSO Office 365 section, enter the following details to authenticate Office 365 users. To allow domain users to log on to the Citrix ADC instance by using their corporate email addresses, configure the following:
LDAP (Active Directory) Base. Enter the base domain name for the domain in which the user accounts reside within the Active Directory (AD) to allow authentication. For example,
dc=netscaler,dc=com
LDAP (Active Directory) Bind DN. Add a domain account (using an email address for ease of configuration) that has rights to browse the AD tree. For example,
cn=Manager,dc=netscaler,dc=com
LDAP (Active Directory) Bind DN Password. Enter the password of the domain account for authentication.
A few other fields that you need to enter in this section are as follows:
LDAP server IP Address that Citrix ADC connects to for authenticating users.
LDAP server’s FQDN name.
Note
You must specify at least one of the above two - the LDAP server IP address or the FQDN name.
LDAP server port that Citrix ADC connects to for authenticating users (default is 389). LDAPS uses 636.
LDAP host name. The host name is used to validate the LDAP Certificate if validation is turned on (by default, it is turned off).
LDAP login name attribute. The default attribute used to extract login names is “sAMAccountName.”
Other optional miscellaneous LDAP settings.
In SAML IdP Certificate section, you can specify the details of the SSL certificates used for SAML assertion.
Certificate Name. Enter the name of the SSL certificate.
Certificate File. Choose the SSL certificate file from the directory on your local system.
CertKey Format. Select the format of the certificate and the private-key files from the drop-down list box. The formats supported are .pem and .der extensions.
Certificate Key Name. Enter the name of the certificate private key.
Certificate Key File. Select the file containing the private key of the certificate from your local system.
Private Key Password: Type in the passphrase that protects your private key file.
You can also enable Advanced Certificate Settings check box. Here you can enter details such as certificate expiry notification period, enable or disable the certificate expiry monitor.
Optionally, you can select SAML IdP CA Certificate if the SAML IdP certificate entered above requires a CA public certificate to be installed on Citrix ADC. Make sure you select “Is a CA Certificate” in the above Advanced Certificate Settings section.
In the SAML SP Certificate section, enter the following details for the Office 365 SSL public certificate. This certificate is used by the Citrix ADC instance to verify incoming SAML authentication requests.
Certificate Name. Type the name of the SSL certificate.
Certificate File. Choose the SSL certificate file from the directory on your local system.
CertKey Format. Select the format of the certificate and the private-key files from the drop-down list box. The formats supported are .pem and .der extensions.
You can also enable Advanced Certificate Settings check box. Here you can enter details such as certificate expiry notification period, enable or disable the certificate expiry monitor.
The SAML Idp Settings section allows you to configure your Citrix ADC Instance as a SAML identity provider by creating the SAML IdP profile and policy that is used by the Citrix ADC AAA virtual server created in step 3.
SAML Issuer Name. In this field, type the public FQDN of your authentication virtual server. Example:
https://\<Citrix ADC_VIP_Address\>/saml/login
Name Identifier Expression. Type in the Citrix ADC expression that is evaluated to extract the SAML NameIdentifier sent in the SAML assertion. Example:
"HTTP.REQ.USER.ATTRIBUTE(2).B64ENCODE"
Signature algorithm: Select the algorithm to verify/sign SAML requests/responses (default is “RSA-SHA256”).
Digest Method. Select the method to digest hash for SAML requests/responses (default is “SHA256”).
Audience name. Type in the entity name or URL that represents the service provider (Microsoft Office 365).
SAML Service Provider (SP) ID. (optional) Citrix ADC identity provider accepts SAML authentication requests from an issuer name that matches this ID.
Assertion Consumer Service URL. Enter the service provider’s URL where Citrix ADC identity provider needs to send the SAML assertions after successful user authentication. The assertion consumer service URL can be initiated at the identity provider server site or the service provider site.
There are other optional fields that you can enter in this section. For example, you can set the following options:
SAML attribute name. Name of user attribute sent in SAML Assertion.
SAML attribute friendly name. Friendly Name of the user attribute sent in SAML Assertion.
PI expression for SAML attribute. By default, the following Citrix ADC Policy (PI) expression is used: HTTP.REQ.USER.ATTRIBUTE(1). This field specifies the first user attribute sent from the LDAP server (mail) as the SAML authentication attribute.
Select the format of the user attribute.
These values are included in the issued SAML Assertion.
Tip
Citrix recommends that you retain the default settings as these settings have been tested to supportt Microsoft Office 365 apps.
Click Target Instances and select the Citrix ADC instance(s) on which to deploy this Microsoft Office 365 SSO configuration. Click Create to create the configuration and deploy the configuration on the selected Citrix ADC instance(s).
Tip
Citrix recommends that before running the actual configuration, you select Dry Run to view the configuration objects that are created on the target Citrix ADC instances by the StyleBook.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论