Configure O365 编辑

Prerequisites

To configure O365 apps in the Citrix Workspace app, make sure to complete the following:

• If you have a primary domain available in Azure AD that is not federated with other services, you can use that domain to federate to Citrix Secure Private Access. Ensure that this domain, either the parent or the child domain of it is not already federated and the parent domain of it is not already added in the Azure Active Directory (AAD).

  For example, if your user login using user1@demo.citrix.com, then demo.citrix.com is primary domain, citrix.com is parent domain, and us.demo.citrix.com is child domain.

• If you cannot federate the primary domain, add a new domain to Azure AD and federate it to Citrix Secure Private Access. Create the domain and complete the verification. For details, see https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/add-custom-domain.

  OR

  You can add a subdomain to Azure AD that can be leveraged to federate to Citrix Secure Private Access for SSO. For that, you must add and promote the subdomain to a root domain. For details, see https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/domains-verify-custom-subdomain.

  Note: You might need to use Azure AD Graph Explorer instead of Microsoft Graph Explorer for the POST request to change a subdomain to a root domain.

  For details on why you need a federated domain, see How domain federation works.

• Confirm that the new domain or the subdomain that you have added is in the “Verified” state in the Azure AD.

• Set up a trust between your SAML identity provider and Azure AD. To set up a trust, you must have a domain that is verified in AAD. When a federation is configured in AAD using a domain, AAD trusts the SAML provider for user authentication to AAD, even if the user is from a different domain than the federated domain. In the SP initiated flow when AAD must identify which IdP to use for authentication(accelerate user to federated IdP) it is identified using the whr query param or domain_hint passed to the URL https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-authentication-for-federated-users-portal.

  Adding a federation for a new domain does not impact an existing federation that you have in your setup. If you have ADFS already federated to a domain, it is not impacted as you are federating on a different domain that is neither sub domain or parent domain of an already federated domain.

  SSO can have the following two flows:

  IDP initiated flow: Typically used when you want to log in to the Azure AD portal. The Citrix Secure Private Access service posts the SAML assertion to the Azure AD (AAD). AAD validates it based on the federation setting that we did earlier. If the validation passes, it extracts the nameid attribute of SAML. The nameid attribute must match immutableId of the user which is present in the AAD.

  SP initiated flow: Typically used when you want to land to the app directly instead of the AAD portal. In this flow, the Citrix Secure Private Access service loads the URL that is configured in the app settings. The URL goes to AAD and because the URL has some indication of the federated domain, the user is redirected to the Citrix Secure Private Access service with a SAML request and a relay state. The Citrix Secure Private Access service posts the SAML assertion to AAD with the same relay state that came in the request. Once SAML is validated, AAD redirects a user to the context in the relay state and hence the user lands on the app directly.

• Configure the O365 app in the Citrix Secure Private Access service. For details see Support for Software as a Service apps.

How domain federation works

The following figure illustrates a typical flow involved after a domain federation is complete.

Consider that you want to add the Office365 app into the Citrix Workspace and enable watermarking and restrict downloads. The typical flow is as follows:

1. You launch the Office365 app in the Citrix Workspace.
2. The request goes to the Citrix Secure Private Access service.
3. Citrix Secure Private Access service creates the SAML assertion and forwards it to Azure AD.

4. As the request is coming from a trusted SAML IdP, Azure AD identifies it through the domain federation that is created and passes the SAML assertion to the Office365 app.

   The Office365 app is launched.

Authentication methods supported for the Office365 app

By default, Citrix Cloud uses the Citrix identity provider to manage the identity information for all users in your Citrix Cloud account.

The Citrix Workspace supports the following authentication methods for Office365. Okta and Google IdP are not supported currently.

• On-premises Active Directory
• Active Directory plus Token

• Azure Active Directory

  Note: If AAD is used to authenticate to the workspace, then you cannot federate the primary domain (user’s login domain) because this creates a loop. In such cases, you must federate a new domain

• Citrix Secure Private Access
• Active Directory plus RADIUS

For more details, see Identity and access management.

Configure the O365 app in the Secure Private Access service

The following are the high-level steps to configure the O365 app in the Secure Private Access service. For more details, see Support for Software as a Service app.

1. Go to Secure Private Access service in Citrix Cloud.
2. Search for Office 365 and choose template. For details, see Support for Software as a Service apps.

3. Add the following related domains in the App details. The following are the list of O365 domains. New domains are added when available.

   • *.office.com
   • *.office365.com
   • *.sharepoint.com
   • *.live.com
   • *.onenote.com
   • *.microsoft.com
   • *.powerbi.com
   • *.dynamics.com
   • *.microsoftstream.com
   • *.powerapps.com
   • *.yammer.com
   • *.windowsazure.com
   • *.msauth.net
   • *.msauthimages.net
   • *.msocdn.com
   • *.microsoftonline.com
   • *.windows.net
   • *.microsoftonline-p.com
   • *.akamaihd.net
   • *.sharepointonline.com
   • *.officescriptsservice.com
   • *.live.net
   • *.office.net
   • *.msftauth.net
4. Enable enhanced security controls, if needed.

5. Configure SSO.

   Note: The only change you must do is to make sure “Name ID” is the Active Directory GUID.

6. Ensure that advanced attributes also send IDPEmail.
   • Attribute Name: IDPEmail
   • Attribute Format: Unspecified
   • Attribute Value: Email
7. Click SAML metadata to open in a new tab.
   • Copy “entityID”
   • Copy “Login URL”
   • Download the Certificate in CRT format

Configure domain federation from Azure AD to Citrix Workspace

Prerequisites:

• Enable PowerShell in Azure AD
• Install Microsoft MSOnline module

The following are the PowerShell commands to install the required modules.

`PS> Install-Module AzureAD -Force`

`PS> Import-Module AzureAD -Force`

`PS> Install-Module MSOnline -Force`

`PS> Import-module MSOnline -Force`
<!--NeedCopy-->