Transcription
Deployment GuideSingle Sign On forOffice 365 withNetScalerDeployment GuideThis deployment guide focuses on defining the process for enablingSingle Sign On into Microsoft Office 365 with Citrix NetScaler.
Deployment GuideSingle Sign On for Office 365 with NetScalerTable of ContentsTable of Contents2Introduction3Configuration Details4NetScaler features to be enabled4Solution description5Part 1: Configure the NetScaler5Configuring LDAP domain authentication5Configure the SAML IDP Policy and Profile8Configure your AAA Virtual Server10Part 2: Configure Office 36511Confirm Microsoft Office 365 Portal Settings11Signing Certificate12Setup Federation Settings for Windows Azure AD12Office 365 PowerShell Commands13Revert back to Managed Authentication15Validate the Configuration15Troubleshooting16The NetScaler receives the authentication request from Office 36516Messages indicating successful authentication and extraction of parameters16Messages verifying SAML transaction and sending of SAML assertion17SAML UserID Issues19Additional Resources20Conclusioncitrix.com212
Deployment GuideSingle Sign On for Office 365 with NetScalerCitrix NetScaler is a world-class product with the proven ability to loadbalance, accelerate, optimize, and secure enterprise applications.Microsoft Office 365 is a suite of cloud-based productivity andcollaboration applications provided by Microsoft on a subscriptionbasis. It includes Microsoft’s popular server-based applications such asExchange, SharePoint, Office and Skype for Business. The apps arewidely used by SMBs and enterprise customers alike to enable theirbusiness without significant capital investments.IntroductionThis guide focuses on enabling Microsoft Office 365 single sign on with Citrix NetScaler.citrix.com3
Deployment GuideSingle Sign On for Office 365 with NetScalerConfiguration DetailsThe table below lists the minimum required software versions for this integration to worksuccessfully. The integration process should also work with higher versions of the same.ProductMinimum Required VersionNetScaler11.0 , Enterprise/Platinum LicenseNetScaler features to be enabledThe essential NetScaler feature that needs to be enabled is explained below. AAA-TM (Authentication, authorization and auditing – Traffic Management)AAA-TMThe AAA feature set controls NetScaler authentication, authorization, and auditing policies.These policies include definition and management of various authentication schemas.NetScaler sup- ports a wide range of authentication protocols and a strong, policy-drivenapplication firewall capability.citrix.com4
Deployment GuideSingle Sign On for Office 365 with NetScalerSolution descriptionEnabling SSO for Office 365 with NetScaler consists of two parts – configuring the Office 365portal and the NetScaler appliance. Office 365 should be configured to use NetScaler as a thirdparty SAML IDP (Identity Provider). The NetScaler is configured as a SAML IDP by creating the AAAVirtual Server that will host the SAML IDP policy.The following instructions assume that you have already created the appropriate external and/orinternal DNS entries to route authentication requests to a NetScaler-monitored IP address, andthat an SSL certificate has already been created and installed on the appliance for the SSL/HTTPScommunication. This document also assumes that a Microsoft Office 365 account has beencreated, the relevant domain has been added and domain verification for the same has beencompleted.Note: Some of the commands in this guide may have a different syntax depending on the version ofNetScaler you are using or if changes are made in Microsoft Azure. Some of these discrepancies are noted,however you may find additional differences. Additionally, it is recommended to ‘tab-complete’ PowerShellcommands to ensure proper spelling and argument entry.Part 1: Configure the NetScalerThe following configuration is required on the NetScaler appliance for it to be supported as a SAMLidentity provider for Microsoft Office 365: LDAP authentication policy and server for domain authentication SSL certificate with external and internal DNS configured for the FQDN presented by thecertificate (Wildcard certificates are supported). SAML IDP policy and profile AAA virtual serverThis guide covers the configuration described above. The SSL certificate and DNS configurations should bein place prior to setup.Configuring LDAP domain authenticationFor domain users to be able to log on to the NetScaler appliance by using their corporate emailaddresses, you must configure an LDAP authentication server and policy on the appliance andbind it to your AAA VIP address. (Use of an existing LDAP configuration is also supported)1.2.3.4.citrix.comIn the NetScaler configuration utility, in the navigation pane, select Security AAA – ApplicationTraffic Policies Authentication Basic Policies LDAP.To create a new LDAP policy: On the Policies tab click Add, and then enter Office365LDAP SSO Policy as the name. In the Server field, click the ‘ ’ icon to add a new server. TheAuthentication LDAP Server window appears.In the Name field, enter Office365 LDAP SSO Server.Select the bullet for Server IP. Enter the IP address of one of your Active Directory domaincontrollers. (You can also point to a virtual server IP for the purpose of redundancy if you are5
Deployment Guide5.6.7.8.Single Sign On for Office 365 with NetScalerload balancing domain controllers)Specify the port that the NetScaler will use to communicate with the domain controller. Use 389for LDAP or 636 for Secure LDAP (LDAPS). Leave the other settings as they are.Under Connection Settings, enter the base domain name for the domain in which the useraccounts reside within the Active Directory (AD) for which you want to allow authentication. Theexample below uses cn Users,dc ctxns,dc net.In the Administrator Bind DN field, add a domain account (using an email address for ease ofconfiguration) that has rights to browse the AD tree. A service account is advisable, so that therewill be no issues with logins if the account that is configured has a password expiration.Check the box for Bind DN Password and enter the password twice.9. Under Other Settings: Enter sAMAccountName as the Server Logon Name Attribute.10. In the SSO Name Attribute field, enter UserPrincipalName. Enable the User Required andReferrals options. Leave the other settings as they are.citrix.com6
Deployment GuideSingle Sign On for Office 365 with NetScaler11. Click on More at the bottom of the screen, then add mail as Attribute 1 and objectGUID asAttribute 2 in the Attribute Fields section. Leave Nested Group Extraction in the Disabled state(we are not going to be using this option for this deployment)12. Click the Create button to complete the LDAP server settings.13. For the LDAP Policy Configuration, select the newly created LDAP server from the Server dropdown list, and in the Expression field type ns true.14. Click the Create button to complete the LDAP Policy and Server configuration.citrix.com7
Deployment GuideSingle Sign On for Office 365 with NetScalerConfigure the SAML IDP Policy and ProfileFor your users to receive the SAML token for logging on to Microsoft Office 365, you must configure aSAML IDP policy and profile, and bind them to the AAA virtual server where users’ credentials are sent.Use the following procedure:1.Open the NetScaler Configuration Utility and navigate to Security AAA – Application Traffic Policies Authentication Basic Policies SAML IDP2. On the Policies Tab, select the Add button.3. In the Create Authentication SAML IDP Policy Window, provide a name for your policy (forexample – Office365 SSO Policy).4. To the right of the Action field, click the ‘ ’ icon to add a new action or profile.5. Provide a name (for example, Office365 SSO Profile).6. In the Assertion Consumer Service URL field, enter https://login.microsoftonline.com/login.srf7. Leave the SP Certificate Name blank.8. In the IDP Certificate Name field, browse to the certificate installed on the NetScaler that is willbe used to secure your AAA authentication Virtual Server.9. In the Issuer Name field enter the public FQDN of your AAA vServer:https://auth.yourCompany.com/saml/login10. Set the Encryption Algorithm to AES256 and leave the Service Provider ID field blank.a. Note: The encryption field is not available in later builds of the NetScaler11. Set both the Signature and Digest algorithms to SHA-1.12. Set the SAML Binding to POST.citrix.com8
Deployment GuideSingle Sign On for Office 365 with NetScaler13. Click on More, then enter urn:federation:MicrosoftOnline in the Audience field.14. Set the Skew Time to an appropriate value. This is the time difference that will be toler- atedbetween the NetScaler appliance and the Office 365 server for the validity of the SAMLassertion.15. Set the Name ID Format to Persistent, and HTTP.REQ.USER.ATTRIBUTE(2).B64ENCODEfor the Name ID Expression field. This directs NetScaler to provide the SSO username attribute(UserPrincipalName) that was defined earlier during LDAP configuration as the user ID for Office365.16. Type IDPEmail in the Attribute1 field, then HTTP.REQ.USER.ATTRIBUTE(1) in theAttribute1 Expression field. This will provide the mail attribute from Active Directory as the emailID used by Office 365. This is useful when the email ID for a user is different from the UserPrincipal Name. The ‘Format’ and ‘Friendly Name’ fields can be left blank.17. Click Create to complete the SAML IDP profile configuration and return to the SAML IDP Policycreation window.18. In the Expression field, add the following expression: ft”)19. Click Create to complete the SAML IDP Configuration.citrix.com9
Deployment GuideSingle Sign On for Office 365 with NetScalerConfigure your AAA Virtual ServerAn employee trying to log in to Office 365 is redirected to a NetScaler AAA virtual server which validatesthe employee’s corporate credentials. This virtual server listens on port 443, which requires an SSLcertificate, in addition to external and/or internal DNS resolution of the virtual server’s IP address on theNetScaler appliance. The following steps require a pre-existing virtual server to be in place and assumethat the DNS name resolution is already in place, and that the SSL certificateis already installed on your NetScaler n the NetScaler Configuration tab navigate to Security AAA – Application Traffic VirtualServers and click the Add button.In the Authentication Virtual Server window, enter the virtual server’s name and IP address. (av1and 10.105.157.62 in this example)Scroll down and make sure that the Authentication and State check boxes are selected.Click Continue.In the Certificates section, select No Server Certificate.In the Server Cert Key window, click Bind.Under SSL Certificates, choose your AAA SSL Certificate and select Insert. (Note – This is NOT theOffice 365 SP certificate.)Click Save, then click Continue.Click Continue again to bypass the Advanced Policy creation option, instead opting to add a BasicAuthentication Policy by selecting the ‘ ’ icon on the right side of the window.From the Choose Type window, select Choose Policy from the drop-down list, select LDAP,leaving Primary as the type, and select Continue.Select Bind and from within the Policies window select the Office 365 LDAP SSO Policy createdearlier.Click OK to return to the Authentication Virtual Server screen.Under Basic Authentication Policies click the ‘ ’ icon on the right to add a second Basic Policy.a. Note: in later builds of NetScaler, SAML IDP policies have been moved to the ‘AdvancedAuthentication Policies’ section.From the Choose Policy drop-down list, select SAMLIDP, leave Primary as the type, and clickContinue.Under Policies select Bind, select your Office 365 SSO Policy, and click Insert and OK.Click Continue and Done.After completing the steps above, the AAA vServer should look similar to this:citrix.com10
Deployment GuideSingle Sign On for Office 365 with NetScalerPart 2: Configure Office 365Once the NetScaler configuration is completed, move on to make the configuration changes to Office 365.Note: Screenshots may differ as Microsoft Azure is a continually evolving platform.Confirm Microsoft Office 365 Portal Settings1.2.3.citrix.comIn a web browser, log in to your Office 365 administration portal athttps://login.microsoftonline.com using an account with administrative rights.Confirm that the domain that is in use by your company for Office 365 has been verified bynavigating to Domains in the left hand navigation barSelect the Domain Settings options in the Manage Domains section shown on the right afterselecting the appropriate domain in the list – noting the default domain.11
Deployment GuideSingle Sign On for Office 365 with NetScalerSigning CertificateBefore proceeding, you should verify that you have the signing certificate that the NetScaler will use tosign the assertion. To get the verification certificate from the NetScaler appliance, follow these steps:1.2.3.Login to your NetScaler appliance, then select the Configuration tab.Select Traffic Management SSLSelect Manage Certificates / Keys/ CSR’s under the Tools section on the right as shown below4.From the Manage Certificates window, browse to the certificate you will use for your AAAVirtual Server. Select the certificate and choose the Download button. Save the certificate to alocation of your choice.Setup Federation Settings for Windows Azure ADIn order to complete single sign on configuration, you will need to complete the following tasks: Assuming that a local AD (Active Directory) server is used for validation of user credentials, theMicrosoft Azure Active Directory Connect tool (formerly called DirSync) will need to be installedon a domain-joined computer. This tool is essential for configuring SSO for Office 365. Complete the configuration for federation/establishing trust between Azure AD (Azure ActiveDirectory) and NetScaler using the Azure AD Module for Windows PowerShell. Setup Directory Synchronization using the Azure AD Directory Connect Tool to ensure that usersin the local AD are replicated in Azure AD.The following tools must be installed before proceeding: citrix.com(Required) The Azure AD Module for Windows PowerShell is essential for this deployment. This12
Deployment GuideSingle Sign On for Office 365 with NetScalermodule enables cmdlets to be run that complete the Azure AD administrative and configurationtasks for this deployment.o More information is available from Microsoft here: 5.aspxo The PowerShell module can be downloaded here:http://go.microsoft.com/fwlink/p/?linkid 236297o Note: Support for the 32-bit version of this tool has ended (Optional) Windows Azure AD Connect enables synchronization of directories between Azure ADand the local Active Directory. This tool simplifies user account setup in Office 365, eliminatingthe need to add them individually. For more information on directory synchronization usingAzure AD Connect, refer to ticles/activedirectory-aadconnect/o Note: Azure AD Connect is an optional installation, and this integration can becompleted without it. However, in this instance you will need to ensure that the AzureAD tenant for your Office 365 account has all user accounts corresponding to the onesin your Active Directory (the user account login should be the same as the UPN for theuser accounts in the local Active Directory) – see the troubleshooting section at the endof this document regarding the ImmutableID field in AzureADOffice 365 PowerShell CommandsThese commands are executed in the PowerShell after completing the Azure AD Directory Moduleinstallation. your domain name here refers to the domain name that your accounts are bound to – forexample, for a user UPN (User Principal Name) of [email protected], your domain name will be“company.com.”1.Connect-MSolService will prompt for user credentials, provide an Office 365 administrativeuser’s credentials.PS C:\Windows\system32 Connect-MsolServiceNote: Steps 2 and 3 are necessary only if your domain has not already been added to Office 365. If it isalready setup, you may skip to step 4. If the domain you are planning to use is already the default domainin Azure, it cannot be converted to federated authentication. For example, if ‘company.com’ is the desireddomain and is currently set to default, it is recommended to make the ‘company.onmicrosoft.com’ domainthe default – otherwise a new default will be needed to take over the ‘default’ role.2.(Optional) Convert another domain than the target domain to default:PS C:\Windows\System32 Set-MsolDomain –Name company.onmicrosoft.com–IsDefault: truea.(Optional) Create a new domain to make default if one does not already exist. Ensurethat the domain name matches with an existing public DNS record.PS C:\Windows\system32 New-MsolDomain –name adfsns.citrix.com3.citrix.com(Optional) Get the DNS record information for the new domain with the followingcommand:13
Deployment GuideSingle Sign On for Office 365 with NetScalerPS C:\Windows\system32 Get-MsolDomainVerificationDns –DomainName your domain name PS C:\Windows\system32 Confirm-MsolDomain –DomainName your domainname 4.Provide a public certificate that will be used in SAML Signing. This is the certificate that wasdownloaded from the NetScaler device and bound to the AAA vserver.a. Note: Open the certificate file prior to moving on to the next step – if the file containsthe private key, it should be removed – only the certificate is needed.PS C:\Users\administrator cert cates.X509Certificate2(“ path to certificate, for example: C:\NS-IDP-Cert.cer ”)PS C:\Users\administrator certData [system.convert]::tobase64string( cert.rawdata)5.Create variables and assign domain name and federation brand name. The domain variableshould match the domain name you are federating.PS C:\Users\administrator dom “ your domain name ”PS C:\Users\administrator fedBrandName “ company brand name, forexample: Citrix India ”6.Provide the URL for the SAML IdP (Identity Provider), in this case the FQDN (fully qualifieddomain name) for the AAA vserver that the SAML policies on the NetScaler appliance will bebound to.a. Note: In the case of NetScaler Gateway acting as a SAML IDP the URL will behttps:// NS Gateway domain name /saml/loginb. Note: In the case of AAATM, the SAML IDP URL will be https:// aaavserver domainname /saml/login.c. Note: The ECP protocol URL has been set to the same value as the URI as there is nounique URL for ECP supportPS C:\Users\administrator url “https:// aaavserver domainname /cgi/tmlogout”PS C:\Users\administrator uri “https:// aaavserver domainname /saml/login”PS C:\Users\administrator ecpUrl “https:// aaavserver domainname /saml/login”7.(Optional) If the domain being used has already been federated (for example, with ADFS), itneeds to be converted to a standard domain before it can be used for federated authenticationwith NetScaler. Use the following command to convert it to a standard domain before settingnew authentication parameters.PS C:\Users\administrator Convert-MsolDomainToStandard –DomainName your domain name -SkipUserConversion: true –PasswordFileC:\userpasswords.txtNote: The userpasswords.txt file can be any path on the local hard drive; this command will dump allcitrix.com14
Deployment GuideSingle Sign On for Office 365 with NetScaleruser passwords from the previously federated setup into this text file for reference. This will completesingle sign-on configuration for Office 365 with NetScaler.8.Convert the Azure AD domain to federated authenticationa. IMPORTANT NOTE: DO NOT close the PowerShell window that is running thiscommand. If this command is successful but the configuration is correct or incomplete,you may not be able to login to Office365 and will need to convert the domain back to‘managed authentication’ from within this same PowerShell session that is alreadylogged in. See the ‘Revert back to managed authentication’ section for instructions toconvert back to managed authentication.b. Note: It may take a few minutes for the configuration change to replicate throughoutMicrosoft Azure.PS C:\Users\administrator Set- MsolDomainAuthentication -DomainName dom –federationBrandName fedBrandName -Authentication Federated PassiveLogOnUri uri -SigningCertificate certData -IssuerUri uri ActiveLogOnUri ecpUrl -LogOffUri url PreferredAuthenticationProtocol SAMLPRevert back to Managed AuthenticationIf you need to convert your domain back to ‘managed’ authentication, run the following command.*Note: this is only required if you are unable to login to Office 365 after completing the above steps.PS C:\Users\administrator Set-MsolDomainAuthentication –DomainName Your domain name Authentication ManagedNote: It can take a few minutes for logons and the authentication mechanism to switch between federatedand managed.Validate the ConfigurationVerify the federation settings by using the command Get-MsolDomainFederationSettings andconfirm that the details are shown as entered (the command will prompt you to provide the domainname, provide your domain name as the value).Point your browser to https://login.microsoftonline.com. In the email or phone field, provide the UPN(which serves as the user ID for Office 365) for your enterprise user account. Upon typing the same andswitching to the password field, you should be redirected to the NetScaler AAA logon form.Log in with user credentials that are valid for the NetScaler environment you just configured. Your Office365 folders and applications should appear.citrix.com15
Deployment GuideSingle Sign On for Office 365 with NetScalerTroubleshootingIn order to help while troubleshooting, here is the list of entries that will be observed in the ns.log file(located at /var/log on the NetScaler appliance) for a successful SAML login (note that some of the entriessuch as encrypted hash values etc. will vary)The NetScaler receives the authentication request from Office 365Jan 18 02:14:21 local0.debug 10.105.157.60 01/18/2016:02:14:21 GMT0-PPE-0 : default SSLLOG SSL HANDSHAKE SUCCESS 6186 0 : SPCBId 967 ClientIP 116.202.78.57 - ClientPort62171 - VserverServiceIP 10.105.157.62 - VserverServicePort 443 ClientVersion TLSv1.0- CipherSuite “AES-256-CBC-SHA TLSv1 Non-Export 256-bit” - Session NewJan 18 02:14:21 local0.info 10.105.157.60 01/18/2016:02:14:21 GMT 0PPE-0 : defaultAAATM Message 6187 0 : “Parse SAML authn request: couldnt find ACSafter finding AuthnRequest tag, ignoring”(Note: this is not an error, the authentication will proceed normally)Jan 18 02:14:22 local0.debug 10.105.157.60 01/18/2016:02:14:22 GMT0-PPE-0 : default SSLLOG SSL HANDSHAKE SUCCESS 6188 0 : SPCBId 964 ClientIP 116.202.78.57 - ClientPort62189 - VserverServiceIP 10.105.157.62 - VserverServicePort 443 ClientVersion TLSv1.0- CipherSuite “AES-256-CBC-SHA TLSv1 Non-Export 256-bit” - SessionReuseMessages indicating successful authentication and extraction of parametersJan 18 02:14:32 local0.info 10.105.157.60 01/18/2016:02:14:32 GMT 0PPE-0 : defaultAAA Message 6193 0 : “In update aaa cntr: Succeeded policy for useradministrator ldap2”Jan 18 02:14:32 local0.debug 10.105.157.60 01/18/2016:02:14:32 GMT0-PPE-0 : defaultAAATM Message 6194 0 : “extracted SSOusername: [email protected] user administrator”Jan 18 02:14:32 local0.debug 10.105.157.60 01/18/2016:02:14:32 GMT0-PPE-0 : defaultSSLVPN Message 6195 0 : “sslvpn extract attributes from resp:attributes copied so far are [email protected] “Jan 18 02:14:32 local0.debug 10.105.157.60 01/18/2016:02:14:32 GMT0-PPE-0 : defaultSSLVPN Message 6196 0 : “sslvpn extract attributes from resp: totallen copied 28, mask 0x1 “citrix.com16
Deployment GuideSingle Sign On for Office 365 with NetScalerMessages verifying SAML transaction and sending of SAML assertionJan 18 02:14:32 local0.debug 10.105.157.60 01/18/2016:02:14:32 GMT0-PPE-0 : defaultAAATM Message 6197 0 : “SAMLIDP: Checking whether current flow is SAMLIdP flow, input T1pnakhSN0RSbE9tYkU ”Jan 18 02:14:32 local0.info 10.105.157.60 01/18/2016:02:14:32 GMT 0PPE-0 : defaultAAA EXTRACTED GROUPS 6198 0 : Extracted groups“ADSyncAdmins,ReportingGroup {133115cb- b-a0b1-4a96-83db-2f4828ba1ecf},PrivUserGroup {133115cb-a0b14a96-83db- UniversalUserAdmins,RTCUniversalServerAdmins,Group PolicyCreator Owners,Domain Admins,Enterprise Admins,SchemaAdmins,Administrators”Jan 18 02:14:32 local0.info 10.105.157.60 01/18/2016:02:14:32 GMT 0PPE-0 : defaultAAATM LOGIN 6199 0 : Context [email protected] - SessionId:34- User adminis- trator - Client ip 116.202.78.57 - Nat ip “Mapped Ip”- Vserver 10.105.157.62:443- Browser type “Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0;rv:11.0) like Gecko” - Group(s) “N/A”Jan 18 02:14:32 local0.debug 10.105.157.60 01/18/2016:02:14:32 GMT0-PPE-0 : defaultAAATM Message 6200 0 : “SAMLIDP: Checking whether current flow is SAMLIdP flow, input T1pnakhSN0RSbE9tYkU ”Jan 18 02:14:32 local0.debug 10.105.157.60 01/18/2016:02:14:32 GMT0-PPE-0 : defaultSSLVPN Message 6201 0 : “UnifiedGateway: SSOID update skipped due toStepUp or LoginOnce OFF, user: administrator”Jan 18 02:14:32 local0.debug 10.105.157.60 01/18/2016:02:14:32 GMT0-PPE-0 : defaultAAATM Message 6202 0 : “SAML: SendAssertion: Response tag is samlp:Response xmlns:sam lp ion ”https://login.microsoftonline. com/login.srf”ID ” eb2de2e7d944c358296c3789aecd3095” InResponseTo ” 836b4a92-59e5citrix.com17
Deployment GuideSingle Sign On for Office 365 with NetScaler4fd1- b4f9-960bec1164b0” IssueInstant ”2016-01-18T02:14:32Z”Version ”2.0” saml:Issuer xmlns:saml ”urn:oasis:names:tc:SAML:2.0:assertion”Format ”urn:oasis:names:tc:SAML:2.0:name idformat:entity” https://nssaml.citrix.com/saml/login /saml:Issuer samlp:Status saml p:StatusCodeValue ”urn:oasis:names:tc:SAML:2.0:status:Success” /samlp:StatusCode / samlp:Status ”Jan 18 02:14:32 local0.debug 10.105.157.60 01/18/2016:02:14:32 GMT0-PPE-0 : defaultAAATM Message 6203 0 : “SAML: SendAssertion: Assertion tag is saml:Assertion xmlns:sa ml ”urn:oasis:names:tc:SAML:2.0:assertion”ID ” eb2de2e7d944c358296c3789aecd309” IssueInstant ”2016-0118T02:14:32Z” Version ”2.0” saml:Issuer Format ” https://nssaml.citrix.com/saml/login /saml:Issuer saml:Subject saml:NameID Format tent” QWRtaW5pc3RyYXRvckBDVFhOUy5uZXQ /saml:NameID saml:SubjectConfirmationMethod ”urn:oasis:names:tc:SAML:2.0:cm:bearer” saml:SubjectConfirmationData InResponseTo ” r ”2016-01-18T02:19:32Z”Recipient ”https://login.microsoftonline.com/login.srf” /saml:SubjectConfirmationData /saml:SubjectConfirmation /saml:Subject saml:ConditionsNotBefore ”2016-01-18T02:09:32Z” NotOnOrAfter ”2016-0118T02:19:32Z” saml:AudienceRestriction saml:Audience urn:federation:MicrosoftOnline /saml:Audience /samJan 18 02:14:32 local0.debug 10.105.157.60 01/18/2016:02:14:32 GMT0-PPE-0 : defaultAAATM Message 6204 0 : “SAMLIDP: SendAssertion: Copying [email protected] com to response”Jan 18 02:14:32 local0.debug 10.105.157.60 01/18/2016:02:14:32 GMT0-PPE-0 :default AAATM Message 6205 0 : “SAML: SendAssertion, Digest MethodSHA1, SignedInfo used for digest is ds:SignedInfoxmlns:ds ”http://www.w3.org/2000/09/xmldsig#” ds:CanonicalizationMethod Algorithm ”http://www.w3.org/2001/10/xml-excc14n#” /ds:Canoni calizationMethod ds:SignatureMethodAlgorithm ”http://www.w3.org/2000/09/xmldsig#rsa-sha1” /ds:SignatureMethod ds:ReferenceURI ”# eb2de2e7d944c358296c3789a ecd309” ds:Transforms ds:TransformAlgorithm ”http://www.w3.org/2000/09/ xmldsig#envelopedsignature” /ds:Transform ds:Transform Algorithm ”http://www.w3.org/2001/10/xml-excc14n#” /ds:Transform /ds:Transforms ds:DigestMethodAlgorithm ”http://www.w3.org/2000/09/xmldsig#sha1” /ds:DigestMethod ds:DigestValue tTfFyb7aMq4nVR/AIBXN9WGyq8g /ds:DigestValue /ds:Reference /ds:Signedcitrix.com18
Deployment GuideSingle Sign On for Office 365 with NetScalerInfo ”Jan 18 02:14:32 local0.debug 10.105.157.60 01/18/2016:02:14:32 GMT0-PPE-0 :default AAATM Message 6206 0 : “SAML: SendAssertion, Signature elementis ds:Signaturexmlns:ds ”http://www.w3.org/2000/09/xmldsig#” ds:SignedInfoxmlns:ds ”http://www.w3.org/2000/09/xmldsig#” ds:CanonicalizationMethod Algorithm ”http://www.w3.org/2001/10/xml-excc14n#” /ds:CanonicalizationMethod ds:S ignatureMethodAlgorithm ”http://www.w3.org/2000/09/xmldsig#rsa-sha1” /ds:SignatureMethod ds:ReferenceURI ”# eb2de2e7d944c358296c3789aecd309” ds:Transforms ds:Transf ormAlgorithm nature” /ds:Transform ds:Transform Algorithm ”http://www.w3.org/2001/10/xmlexc-c14n#” / ds:Transform /ds:Transforms ds:DigestMethodAlgorithm ”http://www.w3.org/2000/09/xmldsig#sha1” /ds:DigestMethod ds:DigestValue tTfFyb7aMq4nVR/AIBXN9WGyq8g /ds:DigestValue /ds:Reference /ds:SignedInfo ds:SignatureValue 7LwBrQi97FZjrePfcN5 EFQ/jBVWm8K6BUXjX7Pkig19oJGgKVUXma- VWpdPDjpyZRNXB17/cIQJan 18 02:14:33 local0.debug 10.105.157.60 01/18/2016:02:14:33 GMT0-PPE-0 :default SSLVPN Messa
Enabling SSO for Office 365 with NetScaler consists of two parts - configuring the Office 365 portal and the NetScaler appliance. Office 365 should be configured to use NetScaler as a third party SAML IDP (Identity Provider). The NetScaler is configured as a SAML IDP by creating the AAA Virtual Server that will host the SAML IDP policy.
