Connect Google as an identity provider to Citrix Cloud 编辑

July 1, 2022 Contributed by:  J

Connect Google as an identity provider to Citrix Cloud

Citrix Cloud supports using Google as an identity provider to authenticate subscribers signing in to their workspaces. By connecting your organization’s Google account to Citrix Cloud, you can provide a unified sign-in experience for accessing Citrix Workspace and Google resources.

Note:

Google authentication is available as a preview. Citrix recommends using preview features only in non-production environments.


Requirements for domain-joined and non-domain-joined configuration

You can configure Google as an identity provider in Citrix Cloud using a machine that’s domain-joined or non-domain-joined.

  • Domain-joined means machines are joined to a domain in your on-premises Active Directory (AD) and authentication uses the user profiles that are stored there.
  • Non-domain-joined means machines aren’t joined to an AD domain and authentication uses the user profiles that are stored in your Google Workspace directory (also known as Google-native users).

The following table lists the requirements for each configuration type.

RequirementDomain-joinedNon-domain-joinedMore information
On-premises ADYesNoSee Prepare Active Directory and Citrix Cloud Connectors
in this article.
Citrix Cloud Connectors deployed in your resource locationYesNo; Cloud Connectors aren’t needed to access non-domain-joined machines.Prepare Active Directory and Citrix Cloud Connectors
in this article.
AD synchronization with Google CloudOptional only if using Gateway service or Microapps and no other services. Otherwise, this task is required.NoSee Sync Active Directory with Google Cloud
in this article.
Developer account with access to the Google Cloud Platform console. Used for creating a service account and key, and enabling the Admin SDK API.YesYesSee Create a service account
, Create a service account key
, and Configure domain-wide delegation
in this article.
An administrator account with access to the Google Workspace Admin console. Used for configuring domain-wide delegation and a read-only API user account.YesYesSee Configure domain-wide-delegation
and Add a read-only API user account
in this article.


Google authentication with multiple Citrix Cloud accounts

This article describes how to connect Google as an identity provider to a single Citrix Cloud account. If you have multiple Citrix Cloud accounts, you can connect each one to the same Google Cloud account using the same service account and read-only API user account. Simply sign in to Citrix Cloud and select the appropriate customer ID from the customer picker.


Prepare Active Directory and Citrix Cloud Connectors

If you are using a domain-joined machine to configure Google authentication, use this section to prepare your on-premises AD. If you are using a non-domain-joined machine, skip this task and continue to Create a service account
in this article.

You need at least two (2) servers in your Active Directory domain on which to install the Citrix Cloud Connector software. Cloud Connectors are required for enabling communication between Citrix Cloud and your resource location
. At least two Cloud Connectors are required to ensure a highly available connection with Citrix Cloud. These servers must meet the following requirements:

  • Meets the requirements described in Cloud Connector Technical Details
    .
  • Does not have any other Citrix components installed, is not an Active Directory domain controller, and is not a machine critical to your resource location infrastructure.
  • Joined to your Active Directory (AD) domain. If your workspace resources and users reside in multiple domains, you must install at least two Cloud Connectors in each domain. For more information, see Deployment scenarios for Cloud Connectors in Active Directory
    .
  • Connected to a network that can contact the resources that users access through Citrix Workspace.
  • Connected to the Internet. For more information, see System and Connectivity Requirements
    .

For more information about installing Cloud Connectors, see Cloud Connector Installation
.


Sync Active Directory with Google Cloud

If you are using a domain-joined machine to configure Google authentication, use this section to prepare your on-premises AD. If you are using a non-domain-joined machine, skip this task and continue to Create a service account
in this article.

Synchronizing your AD with Google is optional if you are using only Citrix Gateway service or Microapps, with no other services enabled. For these services alone, you can use Google-native users without needing to synchronize with your AD.

If you are using other Citrix Cloud services, synchronizing your AD with Google is required. Google Cloud must pass the following AD user attributes to Citrix Cloud:

  • SecurityIDentifier (SID)
  • objectGUID
  • userPrincipalName (UPN)

To sync your AD with Google Cloud

  1. Download and install the Google Cloud Directory Sync utility
    from the Google web site. For more information about this utility, see the Google Cloud Directory Sync
    documentation on the Google web site.
  2. After installing the utility, launch the Configuration Manager (Start > Configuration Manager).
  3. Specify the Google domain settings, and LDAP settings as described in Set up your sync with Configuration Manager
    of the utility documentation.
  4. In General Settings, select Custom Schemas. Leave the default selections unchanged.
  5. Configure a custom schema to apply to all user accounts. Enter the required information using the exact casing and spelling specified in this section.
    1. Select the Custom Schemas tab and then select Add Schema.
    2. Select Use rules defined in “User Accounts”.
    3. In Schema Name, enter citrix-schema.
    4. Select Add Field and then enter the following information:
      • Under Schema field template, in Schema Field, select userPrincipalName.
      • Under Google field details, in Field Name, enter UPN.
    5. Repeat Step 4 to create the following fields:
      • objectGUID: Under Schema field template, select objectGUID. Under Google field details, enter objectGUID.
      • SID: Under Schema field template, select Custom. Under Google field details, enter SID.
      • objectSID: Under Schema field template, select Custom. Under Google field details, enter objectSID.
    6. Select OK to save your entries.
  6. Finish configuring any remaining settings for your organization and verify synchronization settings as described in Set up your sync with Configuration Manager
    of the utility documentation.
  7. Select Sync & apply changes to synchronize your Active Directory with your Google account.

After the sync finishes, the User Information section in Google Cloud displays users’ Active Directory information.


Create a service account

To complete this task, you need a Google Cloud Platform developer account.

  1. Sign in to https://console.cloud.google.com
    .
  2. From the Dashboard sidebar, select IAM & Admin and then select Service Accounts.
  3. Select Create service account.
  4. Under Service account details, enter the service account name and service account ID.
  5. Select Done.


Create a service account key

  1. On the Service Accounts page, select the service account you just created.
  2. Select the Keys tab and then select Add key > Create new key.
  3. Leave the default JSON key type option selected.
  4. Select Create. Save the key to a secure location that you can access later. You enter the private key in the Citrix Cloud console when you connect Google as an identity provider.


Configure domain-wide delegation

  1. Enable the Admin SDK API:
    1. From the Google Cloud Platform menu, select APIs & Services > Enabled APIs & services.
    2. Select Enable APIs and services near the top of the console. The API Library home page appears.
    3. Search for Admin SDK API and select it from the results list.
    4. Select Enable.
  2. Create an API client for the service account:
    1. From the Google Cloud Platform menu, select IAM & Admin > Service Accounts and then select the service account you created earlier.
    2. From the service account’s Details tab, expand Advanced settings.
    3. Under Domain-wide Delegation, copy the Client ID and then select View Google Workspace Admin Console.
    4. If applicable, select the Google Workspace administrator account you want to use. The Google Admin console appears.
    5. From the Google Admin sidebar, select Security > Access and data control > API controls.
    6. Under Domain wide delegation, click Manage Domain Wide Delegation.
    7. Select Add new.
    8. In Client ID paste the client ID for the service account that you copied in Step C.
    9. In OAuth scopes, enter the following scopes in a single comma-delimited line:

      https://www.googleapis.com/auth/admin.directory.user.readonly,https://www.googleapis.com/auth/admin.directory.group.readonly,https://www.googleapis.com/auth/admin.directory.domain.readonly<!--NeedCopy-->
    10. Select Authorize.


Add a read-only API user account

In this task, you create a Google Workspace user account that has read-only API access for Citrix Cloud. This account is not used for any other purpose and has no other privileges.

  1. From the Google Admin menu, select Directory > Users.
  2. Select Add new user and enter the appropriate user information.
  3. Select Add new user to save the account information.
  4. Create a custom role for the read-only user account:
    1. From the Google Admin menu, select Account > Admin roles.
    2. Select Create new role.
    3. Enter a name for the new role. Example: API-ReadOnly
    4. Select Continue.
    5. Under Admin API privileges, select the following privileges:
      • Users > Read
      • Groups > Read
      • Domain Management
    6. Select Continue and then select Create role.
  5. Assign the custom role to the read-only user account you created earlier:
    1. From the custom role details page, in the Admins pane, select Assign users.
    2. Start typing the name of the read-only user account and select it from the user list.
    3. Select Assign role.
    4. To verify the role assignment, return to the Users page (Directory > Users) and select the read-only user account. The custom role assignment is displayed under Admin roles and privileges.


Connect Google to Citrix Cloud

  1. Sign in to Citrix Cloud at https://citrix.cloud.com
    .
  2. From the Citrix Cloud menu, select Identity and Access Management.
  3. Locate Google and select Connect from the ellipsis menu.
  4. Select Import File and then select the JSON file you saved when you created the key for the service account
    . This action imports your private key and the email address for the Google Cloud service account that you created.
  5. In Impersonated User, enter the name of the read-only API user account.
  6. Select Next. Citrix Cloud verifies your Google account details and tests the connection.
  7. Review the associated domains that are listed. If they’re correct, select Confirm to save your configuration.


Enable Google for workspace authentication

  1. From the Citrix Cloud menu, select Workspace Configuration > Authentication.
  2. Select Google. When prompted, select I understand the impact on the subscriber experience and then click Save.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。
列表为空,暂无数据

词条统计

浏览:4 次

字数:17219

最后编辑:7 年前

编辑次数:0 次

    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文