Citrix Content Collaboration single sign-on configuration guide for ADFS 3 编辑

December 19, 2019 Contributed by:  C

Citrix Content Collaboration single sign-on configuration guide for ADFS 3


Prerequisites to installation

To set up Citrix Content Collaboration to authenticate with Active Directory Federated Services, you need the following:

  • Windows Server 2012 R2
  • A publicly signed SSL Certificate from a CA. Self-signed and unsigned certificates are not accepted.
  • An FQDN for your ADFS server
  • Access to an administrator account within Citrix Content Collaboration with the ability to configure single sign-on.

Note:

To provision users from your Active Directory to Citrix Content Collaboration, reference the User Management Tool installation guide.


ADFS 3.0 (Role-based install)

  1. You cannot download Microsoft Active Directory Federated Services 3.0 separately. You must use a Windows 2012 R2 server for this version.

    adfs3 image 1

  2. Install the Role-based or featured based installation. Click Next.

    adfs3 image 2

  3. Select the server for the install and click Next. Then select Active Directory Federation Services. Click Next.

    adfs3 image 3

  4. Click Next through the Server Roles, AD FS and then to the Confirmation screen. Check the box for Restart, say Yes to the next screen, and click Install.

    adfs3 image 4

  5. Once ADFS is installed, you must complete a post deployment activity if this is the first AD FS server in Active Directory. Use your own configuration information for this step.

    adfs3 image 5


Setting up ADFS 3.0

  1. In the ADFS 3.0 management console, start the Configuration Wizard.
  2. When the wizard starts, select Create a new Federation Service and click Next.

    adfs3 image 6

    adfs3 image 7

  3. Since we use a Wildcard Certificate, we must determine a Federation Service Name. If you are not using a wildcard SSL cert, you might not have to do this step. Then click Next to continue.

    adfs3 image 8

  4. Click Next to configure.

    adfs3 image 9

  5. Confirm that all the configurations were finished without error and click Close and exit the wizard.

    adfs3 image 10

    adfs3 image 11

  6. Expand the Service node in the Management Console. Select the Token Signing certificate and click View Certificate in the right-hand column.

    adfs3 image 12

  7. In the Certificate window, select the Details tab and then click Copy to File.

    adfs3 image 13

  8. Click Next to continue.

    adfs3 image 14

  9. Select Base-64 encoded X.509 (.CER) as the export format for the certificate, then click Next.

    adfs3 image 15

  10. Save the certificate file and click Next.

    adfs3 image 16

  11. Click Finish to save the file.

    adfs3 image 17

  12. Browse to the folder where you exported the certificate and open it with Notepad.

    adfs3 image 18

  13. Select all the text inside the Notepad and copy.

    adfs3 image 19

  14. Open Internet Explorer and go to your Citrix Content Collaboration account (https://<yoursubdomain>.sharefile.com). Sign in with your administrator account. Navigate to Admin Settings > Security > Login & Security Policy. Find Single sign-on / SAML 2.0 Configuration.
    • Switch Enable SAML setting to Yes.
    • ShareFile Issuer / Entity ID: https://<subdomain>.sharefile.com/saml/info
    • Your IDP Issuer / Entity ID: https://<adfs>.yourdomain.com
    • X.509 Certificate: Paste the contents of exported certificate from previous section
    • Login URL: https://<adfs>.yourdomain.com/adfs/ls

    adfs3 image 20

  15. In Optional Settings, change the following values.
    • Enable Web Authentication: Yes (Check marked)
    • SP-Initiated Auth Context: User Name and Password – Minimum

    adfs3 image 21

  16. Minimize Internet Explorer and return to the ADFS Management Console. Expand the Trust Relationships node and select Relying Party Trusts. Then click Add Relying Party Trust… from the right-hand side of the console. This launches the Add Relying Trust Wizard.

    adfs3 image 22

  17. Click Start to begin specifying a Relying Party Trust.

    adfs3 image 23

  18. Retrieving the metadata from the SAML site can configure the trust automatically for you. Use https://<yoursubdomain>.sharefile.com/saml/metadata as the federation metadata address (host name or URL). Click Next.

    adfs3 image 24

  19. Specify a Display Name. Typically you keep this as <yoursubdomain>.sharefile.com, so you can identify the different trusts from each other.

    adfs3 image 25

    adfs3 image 26

  20. Permit all users to access this relying party. Click Next.

    adfs3 image 27

  21. Verify that the information is correct and click Next.

    adfs3 image 28

  22. Verify that the check box for Open the Edit Claim Rules dialog for this relying party trust when the wizard closes is checked. Then click Close.

    adfs3 image 29

  23. On the Issuance Transform Rules tab, click Add Rule.

    adfs3 image 30

  24. The first rule is to Send LDAP Attributes as Claims.

    adfs3 image 31

  25. Users in the Citrix Content Collaboration platform are identified by their email address. We send the claim as a UPN. Give a descriptive Claim rule name, such as E-mail Address to E-mail Address. Select Active Directory as the attribute store. Finally, select E-Mail Address as the LDAP attribute and E-mail Address as the Outgoing Claim Type. Click Finish.

    adfs3 image 32

  26. Create a second rule. This rule is used to Transform an Incoming Claim. Click Next.

    adfs3 image 33

  27. The incoming claim type transforms the incoming email address to an outgoing Name ID claim type in the email format. Give a descriptive name, such as Named ID to E-Mail Address. The Incoming claim type is Email Address, the Outgoing claim type Name ID. The Outgoing name format is Email. Click Finish.

    adfs3 image 34

  28. Verify that the claims are correct, then click OK.

    adfs3 image 35

  29. Switch to any web browser and navigate to https://<yoursubdomain>.sharefile.com/saml/login. You are redirected to your ADFS services. If your sign-in email is linked to a user on AD, then you are able to authenticate with your AD credentials.

    adfs3 image 36

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。
列表为空,暂无数据

词条统计

浏览:69 次

字数:12642

最后编辑:7 年前

编辑次数:0 次

    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文