CASM Citrix FederationRunbook Ver1.0

CA SiteMinder - Citrix Online [SaaS Partner]

SAML 2.0 Federation Run Book

Legal Notice 2

Legal Notice This Documentation, which includes embedded help systems and electronically distributed materials,

(hereinafter referred to as the Documentation) is for your informational purposes only and is subject to

change or withdrawal by CA at any time.

This Documentation may not be copied, transferred, reproduced, disclosed, modified or duplicated, in

whole or in part, without the prior written consent of CA. This Documentation is confidential and proprietary

information of CA and may not be disclosed by you or used for any purpose other than as may be

permitted in (i) a separate agreement between you and CA governing your use of the CA software to

which the Documentation relates; or (ii) a separate confidentiality agreement between you and CA.

Notwithstanding the foregoing, if you are a licensed user of the software product(s) addressed in the

Documentation, you may print or otherwise make available a reasonable number of copies of the

Documentation for internal use by you and your employees in connection with that software, provided that

all CA copyright notices and legends are affixed to each reproduced copy.

The right to print or otherwise make available copies of the Documentation is limited to the period during

which the applicable license for such software remains in full force and effect. Should the license terminate

for any reason, it is your responsibility to certify in writing to CA that all copies and partial copies of the

Documentation have been returned to CA or destroyed.

TO THE EXTENT PERMITTED BY APPLICABLE LAW, CA PROVIDES THIS DOCUMENTATION AS IS

WITHOUT WARRANTY OF ANY KIND, INCLUDING WITHOUT LIMITATION, ANY IMPLIED

WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR

NONINFRINGEMENT. IN NO EVENT WILL CA BE LIABLE TO YOU OR ANY THIRD PARTY FOR ANY

LOSS OR DAMAGE, DIRECT OR INDIRECT, FROM THE USE OF THIS DOCUMENTATION,

INCLUDING WITHOUT LIMITATION, LOST PROFITS, LOST INVESTMENT, BUSINESS

INTERRUPTION, GOODWILL, OR LOST DATA, EVEN IF CA IS EXPRESSLY ADVISED IN ADVANCE

OF THE POSSIBILITY OF SUCH LOSS OR DAMAGE.

The use of any software product referenced in the Documentation is governed by the applicable license

agreement and such license agreement is not modified in any way by the terms of this notice.

The manufacturer of this Documentation is CA.

Provided with Restricted Rights. Use, duplication or disclosure by the United States Government is

subject to the restrictions set forth in FAR Sections 12.212, 52.227-14, and 52.227-19(c) (1) - (2) and

DFARS Section 252.227-7014(b) (3), as applicable, or their successors.

Copyright 2012 CA. All rights reserved. All trademarks, trade names, service marks, and logos

referenced herein belong to their respective companies.

Support 3

Support

This document is produced by FuGen Solutions Inc.(www.fugensolutions.com) who can be reached at

[email protected], on behalf of CA Technologies Inc.(www.ca.com)

Contact CA Technologies

Contact CA Support

For your convenience, CA Technologies provides one site where you can access the information that you

need for your Home Office, Small Business, and Enterprise CA Technologies products. At

http://ca.com/support, you can access the following resources:

Online and telephone contact information for technical assistance and customer services

Information about user communities and forums

Product and documentation downloads

CA Support policies and guidelines

Other helpful resources appropriate for your product

Providing Feedback About Product Documentation

If you have comments or questions about CA Technologies product documentation, you can send a

message to [email protected] or [email protected]

Contents 4

Contents

Legal Notice .................................................................................................................................................. 2

Support .......................................................................................................................................................... 3

Contents ........................................................................................................................................................ 4

Chapter 1: SaaS Partner Introduction ........................................................................................................ 6

Overview ..................................................................................................................................................... 6

Partnership Process ................................................................................................................................... 6

Prerequisites ........................................................................................................................................... 6

Target Citrix Application .......................................................................................................................... 7

Chapter 2: Configuring CA SiteMinder (12.5) as Identity Provider ......................................................... 8

Configure Identity Provider and Service Provider Entities ......................................................................... 8

Local Entity Creation ............................................................................................................................... 8

Remote Entity Creation ........................................................................................................................... 9

Configure Federation Partnership between CA SiteMinder (IDP) & Citrix (SP) .................................... 10

Configure Partnership ........................................................................................................................... 10

Federation Users .................................................................................................................................. 11

Assertion Configuration......................................................................................................................... 11

SSO and SLO ....................................................................................................................................... 12

Configure Signature and Encryption ..................................................................................................... 13

Partnership Activation ........................................................................................................................... 14

Chapter 3: Configuring Service Provider ................................................................................................ 15

Enabling federation at Citrix end .............................................................................................................. 15

Configure SAML 2.0 SSO in Citrix ........................................................................................................ 15

Chapter 4: Federation Testing .................................................................................................................. 17

Federation Testing .................................................................................................................................... 17

Identity Provider Initiated ...................................................................................................................... 17

Chapter 5: Exception Handling ................................................................................................................. 19

Exception Cases ....................................................................................................................................... 19

When SiteMinder Partnership is Inactive .............................................................................................. 19

When the Assertion Consumer Service URL is given wrong in SiteMinder side.................................. 19

When SiteMinder Authenticated User who is not in Citrix trying to login through SiteMinder .............. 20

SiteMinder User who doesnt have desired attributes in the user store ............................................... 21

User Email ID is not matching with the data at the Citrix ...................................................................... 21

Change of Service Provider Entity ID in the SiteMinder ....................................................................... 22

Contents 5

Change of Identity Provider Entity ID in SiteMinder ............................................................................. 23

Change of Audience Field value to some other value .......................................................................... 23

Change of Name ID Format values ...................................................................................................... 24

Change of Name ID Format .................................................................................................................. 24

Expired Certificate on SiteMinder Side ................................................................................................. 25

Chapter 6: Summary .................................................................................................................................. 27

Chapter 1: SaaS Partner Introduction 6

Chapter 1: SaaS Partner Introduction

This section contains the following topics:

Overview (see page 6)

Partnership Process (see page 6)

Prerequisites

Target Citrix Application

Overview

The scope of the document is to provide the necessary steps to configure the federation

partnership to achieve SSO (Single-Sign-On) between CA SiteMinder 12.5, acting as the

Identity Provider (IDP), and Citrix Online acting as the Service Provider (SP).

Partnership Process

The partnership creation for each partner involves the following steps:

1. Installing and configuring the prerequisites

2. Configuring SiteMinder as an Identity Provider

3. Configuring the Service Provider

4. Testing the Federated SSO

Prerequisites

Installation of CA SiteMinder 12.5 Suite

Configuration and testing of Authentication store and Session store

Creation of Signed Certificate by a well know CA such as VeriSign, Entrust,

Thawte or Go Daddy for Identity Provider Digital Signature

Important! - Protect Identity Provider Authentication URL using CA SiteMinder

12.5

Chapter 1: SaaS Partner Introduction 7

Identity Provider Authentication URL is protected by creating following objects:

Authentication Scheme

Domain

Realm

Rule &

Policies

Notes: Protecting the Authentication URL ensures that a user requesting a protected

federated resource is presented with an authentication challenge if they do not have a

SiteMinder session at the Identity Provider.

Tenant environment at Citrix with Partner Login URL -

https://www.citrix.com/welcome.html?resource=%2Faccount

Target Citrix Application

The following service of Citrix Application has been tested under desktop browser for

federation using CA SiteMinder 12.5 as Identity Provider.

Citrix GoToMeeting

Citrix GoToWebinar

Citrix GoToTraining

Citrix GoToMyPC

Citrix ShareFile

Citrix GoTo Assist

Chapter 2: Configuring CA SiteMinder (12.5) as Identity Provider 8

Chapter 2: Configuring CA SiteMinder (12.5) as Identity Provider


Configure Identity Provider and Service Provider Entities (see page 8)

Configure Federation Partnership between CA SiteMinder (IDP) & Citrix (SP) (see page

12)

Configure Identity Provider and Service Provider Entities

Login to CA SiteMinder and get to Federation -> Partnership Federation -> Entity ->

Create Entity

Local Entity Creation

Configure Local Identity Provider Entity with following details:

o Entity Location Local

o Entity Type SAML2 IDP

o Entity ID Any (in this example https://ca-idp.fugen.com/)

o Entity Name Any (Relevant name)

o Description Any (Relevant description)

o Base URL Will be pre-populated

o Signing Private Key Alias Select the correct private key alias

o Signed Authentication Requests Required No

o Supported NameID format Email Address


Remote Entity Creation

Configure Remote Service Provider Entity by selecting Create Entity

Note: For Citrix Service Provider details (Entity ID and ACS URL) contact Citrix Support

Team.

Create Citrix Remote Entity with following details

o Entity Location Remote

o New Entity Type SAML2 SP

o Entity ID https://login.citrixonline.com/saml/sp

o Entity Name Any (Relevant name)

o Description Any (Relevant description)

o Assertion Consumer Service URL -

https://login.citrixonline.com/saml/global.gotomeeting.com/acs

o Authentication Request No

o Supported NameID Format Email address


Configure Federation Partnership between CA SiteMinder (IDP) & Citrix (SP)

To create Partnership Get to Federation -> Partnership Federation -> Create Partnership (SAML 2

IDP > SP)

Configure Partnership

Add Partnership Name Any (Relevant Name)

Description Any (Relevant description)

Local IDP ID Select Local IDP ID (e.g. https://ca-idp.fugen.com/)

Remote SP ID Select Remote SP ID

Base URL Will be pre-populated

Skew Time Any

User Directories and Search Order Select required Directories in required search

order. Proceed to Next Page


Federation Users

Configure Federation Users Accept default values

Assertion Configuration

Name ID Format Email Address.

Name ID Type User Attribute

Value Should be the name of the user attribute containing the email address. In this

example, the name is 'mail'


SSO and SLO

Add Authentication URL

SSO Binding via HTTP-Post

Audience https://login.citrixonline.com/saml/sp

Transaction Allowed Both

Assertion Consumer Service URL



Configure Signature and Encryption

Signing Private Key Alias Check if correct Private Key Alias selected


Confirm the values and finish Partnership

Partnership Activation

Activate the created Partnership

Chapter 3: Configuring Service Provider 15

Chapter 3: Configuring Service Provider


Configure SAML 2.0 SSO in Citrix (see page 15)

Enabling federation at Citrix end

Configure SAML 2.0 SSO in Citrix

Follow the steps given below to configure the SAML2.0 SSO in Citrix

Login to Citrix (http://login.citrixonline.com/saml/settings.html) with appropriate

credentials (for Credentials contact Citrix Support team)

Under SAML 2.0 single sign-on page

o Enter the Identity Provider SSO URL

o Upload the Verification certificate

o Save the changes

Chapter 3: Configuring Service Provider 16

Chapter 4: Federation Testing 17

Chapter 4: Federation Testing


Federation Testing (see page 17)

Identity Provider initiated

Federation Testing

In the case of Citrix, federation scenario can be run in Identity Provider initiated Scenario

alone

Identity Provider Initiated

Access URL https://ca-

idp.fugen.com/affwebservices/public/saml2sso?SPID=https://login.citrixonline.com/sa

ml/sp

User is challenged with authentication screen by Identity Provider

After successful authentication, the Identity Provider user will be directed to the Citrix

home page.

Chapter 4: Federation Testing 18

Chapter 5: Exception Handling 19

Chapter 5: Exception Handling

This section contains the following exceptions:

When SiteMinder Partnership is Inactive (see page 19)

When the Assertion Consumer Service URL is given wrong in the SiteMinder side (see page 20)

When SiteMinder Authenticated User who is not in the Citrix trying to login through SiteMinder (see page 20)

SiteMinder user who doesnt have desired attributes in the user store (see page 21)

User Email ID is not matching with the data at the Citrix (see page 22)

Change of Service Provider Entity ID in the SiteMinder (see page 22)

Change of Identity Provider Entity ID in the SiteMinder (see page 23)

Change of Audience Field value to some other value (see page 23)

Change of Name ID Format values (see page 24)

Change of Name ID Format (see page 25)

Expired Certificate on SiteMinder Side (see page 26)

Exception Cases

Following are the exceptions cases.

When SiteMinder Partnership is Inactive

When SiteMinder Partnership is Inactive or Defined, following error appears on browser

When the Assertion Consumer Service URL is given wrong in SiteMinder side

Default Assertion Consumer Service URL in the Citrix



Test Assertion Consumer Service URL given in SiteMinder https://

citrixonline.com/saml/acs

Result Authenticates at the Identity Provider side and gives following error

When SiteMinder Authenticated User who is not in Citrix trying to login through SiteMinder

This is a user that is authenticated to SiteMinder but not provisioned to Citrix.

UserID used pptester

Result After Authentication following error page appears at Citrix side.


Logs Following log information can be found in FWSTrace.log

[03/18/2013][03:08:30][][][][][][][][][IsOk? Yes, Return 0 responses with 1 attributes

added.][][][][][][][][][][][]

[03/18/2013][03:08:30][s1/r72][][][][pptester][][][][Evaluating OnAccessAccept policy in the

realm ][][samlsp:fugencloud-citrixsp_az][][][][][][][][][uid=PPtester,ou=People,ou=caidp

users,o=caidp.com]

[03/18/2013][03:08:30][][][][][pptester][][][][Start of user policy analysis for

realm.][][samlsp:fugencloud-citrixsp_az][][][][][][][][][uid=PPtester,ou=People,ou=caidp

users,o=caidp.com]

SiteMinder User who doesnt have desired attributes in the user store

UserID tuser

Email id attribute which is the NameID Format used in the Partnership is removed and

tested for Federated Login

Result After Authentication, following error page appears.

User Email ID is not matching with the data at the Citrix

UserID tuser

Default email [email protected]

Changed email [email protected]

Result Following error message appears on browser


Change of Service Provider Entity ID in the SiteMinder

Original Service Provider Entity ID: https://login.citrixonline.com/saml/sp

Changed Service Provider Entity ID: https://login.citrixonlinechange.com/saml/sp

Result Following error message appears on internet explorer browser

Logs Following log information can be found in FWSTrace.log file.

[03/18/2013][13:27:21][1160][2080][9c2d81d4-3787e659-a8dbdda1-b301542e-2ddb2e62-

d23][SSO.java][processRequest][Transaction with ID: 9c2d81d4-3787e659-a8dbdda1-

b301542e-2ddb2e62-d23 failed. Reason: NO_PROVIDER_INFO_FOUND]


d23][SSO.java][processRequest][No SAML2 provider information found for SP

https://login.citrixonline.com/saml/sp.]


d23][SSO.java][processRequest][Ending SAML2 Single Sign-On Service request

processing with HTTP error 400]


Change of Identity Provider Entity ID in SiteMinder

Original Identity Provider Entity ID: https://ca-idp.fugen.com/

Changed Identity Provider Entity ID: https://ca-idp.fugenportal.com/

Result Federated login works as expected without any impact due to new Identity

Provider Entity ID.

Change of Audience Field value to some other value

Original Audience https://login.citrixonline.com/saml/sp

Changed Audience https://login.citrixonlineportal.com/saml/sp

Result Following error message appears on browser

Logs Following log information can be found in FWSTrace.log file.

[email protected] https://login.citrixonline.com/saml/sp https://login.citrixonlineportal.com/saml/sp


Change of Name ID Format values

Original NameID mail

Changed NameID uid

UID tuser

Result Following error appears on browser.

Logs Following log information can be found in FWSTrace.log file

tuser

Change of Name ID Format

Name ID Format Chosen: Transient Identifier

Result Following error appears on browser.


Logs Following log information can be found in FWSTrace.log file

_03d5fe0084fc99f80cb26de0fe8539f806a3

Expired Certificate on SiteMinder Side

Condition When SiteMinder signing certificate is expired.

Log File Information appears to be like this

https://ca-

idp.fugen.com/

Error Signing Assertion.


Message that appears on browser

Chapter 6: Summary 27

Chapter 6: Summary

Identity Provider-initiated scenario alone works for Citrix

Citrix services federation via Browser-SSO has been tested

No backchannel or artifact based profiles are implemented at Citrix

The SSO, assertion consumer and target URLs are all https.

Signing of assertion is enabled

Encryption of assertion is not enabled

The following service of Citrix Application has been tested for federation using CA

SiteMinder 12.5 as Identity Provider.

o Citrix GoToMeeting - https://admin.gotomeeting.com/ext-admin/users.html

CASM Citrix FederationRunbook Ver1.0

Documents

Transcript of CASM Citrix FederationRunbook Ver1.0