Configure O365 编辑
Prerequisites
To configure O365 apps in the Citrix Workspace app, make sure to complete the following:
If you have a primary domain available in Azure AD that is not federated with other services, you can use that domain to federate to Citrix Secure Private Access. Ensure that this domain, either the parent or the child domain of it is not already federated and the parent domain of it is not already added in the Azure Active Directory (AAD).
For example, if your user login using user1@demo.citrix.com, then demo.citrix.com is primary domain, citrix.com is parent domain, and us.demo.citrix.com is child domain.
If you cannot federate the primary domain, add a new domain to Azure AD and federate it to Citrix Secure Private Access. Create the domain and complete the verification. For details, see https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/add-custom-domain.
OR
You can add a subdomain to Azure AD that can be leveraged to federate to Citrix Secure Private Access for SSO. For that, you must add and promote the subdomain to a root domain. For details, see https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/domains-verify-custom-subdomain.
Note: You might need to use Azure AD Graph Explorer instead of Microsoft Graph Explorer for the POST request to change a subdomain to a root domain.
For details on why you need a federated domain, see How domain federation works.
Confirm that the new domain or the subdomain that you have added is in the “Verified” state in the Azure AD.
Set up a trust between your SAML identity provider and Azure AD. To set up a trust, you must have a domain that is verified in AAD. When a federation is configured in AAD using a domain, AAD trusts the SAML provider for user authentication to AAD, even if the user is from a different domain than the federated domain. In the SP initiated flow when AAD must identify which IdP to use for authentication(accelerate user to federated IdP) it is identified using the
whr query param
ordomain_hint
passed to the URL https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-authentication-for-federated-users-portal.Adding a federation for a new domain does not impact an existing federation that you have in your setup. If you have ADFS already federated to a domain, it is not impacted as you are federating on a different domain that is neither sub domain or parent domain of an already federated domain.
SSO can have the following two flows:
IDP initiated flow: Typically used when you want to log in to the Azure AD portal. The Citrix Secure Private Access service posts the SAML assertion to the Azure AD (AAD). AAD validates it based on the federation setting that we did earlier. If the validation passes, it extracts the
nameid
attribute of SAML. Thenameid
attribute must matchimmutableId
of the user which is present in the AAD.SP initiated flow: Typically used when you want to land to the app directly instead of the AAD portal. In this flow, the Citrix Secure Private Access service loads the URL that is configured in the app settings. The URL goes to AAD and because the URL has some indication of the federated domain, the user is redirected to the Citrix Secure Private Access service with a SAML request and a relay state. The Citrix Secure Private Access service posts the SAML assertion to AAD with the same relay state that came in the request. Once SAML is validated, AAD redirects a user to the context in the relay state and hence the user lands on the app directly.
Configure the O365 app in the Citrix Secure Private Access service. For details see Support for Software as a Service apps.
How domain federation works
The following figure illustrates a typical flow involved after a domain federation is complete.
Consider that you want to add the Office365 app into the Citrix Workspace and enable watermarking and restrict downloads. The typical flow is as follows:
- You launch the Office365 app in the Citrix Workspace.
- The request goes to the Citrix Secure Private Access service.
- Citrix Secure Private Access service creates the SAML assertion and forwards it to Azure AD.
As the request is coming from a trusted SAML IdP, Azure AD identifies it through the domain federation that is created and passes the SAML assertion to the Office365 app.
The Office365 app is launched.
Authentication methods supported for the Office365 app
By default, Citrix Cloud uses the Citrix identity provider to manage the identity information for all users in your Citrix Cloud account.
The Citrix Workspace supports the following authentication methods for Office365. Okta and Google IdP are not supported currently.
- On-premises Active Directory
- Active Directory plus Token
Azure Active Directory
Note: If AAD is used to authenticate to the workspace, then you cannot federate the primary domain (user’s login domain) because this creates a loop. In such cases, you must federate a new domain
- Citrix Secure Private Access
- Active Directory plus RADIUS
For more details, see Identity and access management.
Configure the O365 app in the Secure Private Access service
The following are the high-level steps to configure the O365 app in the Secure Private Access service. For more details, see Support for Software as a Service app.
- Go to Secure Private Access service in Citrix Cloud.
- Search for Office 365 and choose template. For details, see Support for Software as a Service apps.
Add the following related domains in the App details. The following are the list of O365 domains. New domains are added when available.
- *.office.com
- *.office365.com
- *.sharepoint.com
- *.live.com
- *.onenote.com
- *.microsoft.com
- *.powerbi.com
- *.dynamics.com
- *.microsoftstream.com
- *.powerapps.com
- *.yammer.com
- *.windowsazure.com
- *.msauth.net
- *.msauthimages.net
- *.msocdn.com
- *.microsoftonline.com
- *.windows.net
- *.microsoftonline-p.com
- *.akamaihd.net
- *.sharepointonline.com
- *.officescriptsservice.com
- *.live.net
- *.office.net
- *.msftauth.net
- Enable enhanced security controls, if needed.
Configure SSO.
Note: The only change you must do is to make sure “Name ID” is the Active Directory GUID.
- Ensure that advanced attributes also send
IDPEmail
.- Attribute Name:
IDPEmail
- Attribute Format: Unspecified
- Attribute Value: Email
- Attribute Name:
- Click SAML metadata to open in a new tab.
- Copy “entityID”
- Copy “Login URL”
- Download the Certificate in CRT format
Configure domain federation from Azure AD to Citrix Workspace
Prerequisites:
- Enable PowerShell in Azure AD
- Install Microsoft MSOnline module
The following are the PowerShell commands to install the required modules.
`PS> Install-Module AzureAD -Force`
`PS> Import-Module AzureAD -Force`
`PS> Install-Module MSOnline -Force`
`PS> Import-module MSOnline -Force`
<!--NeedCopy-->
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论