Citrix Content Collaboration single sign-on configuration guide for ADFS 4

Prerequisites

  • Domain joined Windows Server 2016 host
  • Publicly accessible FQDN associated with public IP (Example: <adfs>.yourdomain.com)
  • Valid SSL certificate associated with site FQDN (Wildcards are supported)
  • Port 443 open inbound and outbound on public IP associated with AD FS FQDN

Add ADFS Role

  • Launch Server Manager.
  • Click Manage at the top right.
  • Click Add Roles and Features.

adfs4 image 1

  • Select Active Directory Federation Services.
  • Click Next.

adfs4 image 2

  • Click Next.

adfs4 image 3

  • Click Next.

adfs4 image 4

  • Select Restart the destination server automatically if required.
  • Click Install, respond Yes to the restart prompt.

adfs4 image 5

  • You now see this screen upon successful install of the role. Click Close.

Configure ADFS

  • Open Server Manager.
  • Click the flag icon with the yellow caution symbol.

adfs4 image 6

  • Click Configure the federation service on this server.

adfs4 image 7

  • Select the Create the first federation server in a federation server farm radio button.
  • Click Next.

adfs4 image 8

  • Define a domain admin account to configure ADFS.
  • Click Next.

adfs4 image 9

  • Select the public SSL certificate. This certificate must be imported on the host before ADFS configuration.
  • Type in a Federation Service Name. This name must match the FQDN you created for ADFS. Example: adfs2016.yourdomain.com
  • Type in a Service Display Name. This name is the text that shows on a forms based login page.
  • Click Next.

adfs4 image 10

  • Specify the service account ADFS uses.
  • Click Next.

adfs4 image 11

  • Select the database type.
  • Click Next.

adfs4 image 12

  • Review the changes before they are made.
  • Click Next.

adfs4 image 13

  • Click Configure if all prerequisite checks completed successfully.

adfs4 image 14

  • Upon successful configuration of ADFS, you now see this screen.
  • Click Close.

Enable IdP-initiated sign-in

The IdP-initiated sign-in page confirms that ADFS accepts your domain credentials before establishing service provider trusts. By default, this page is disabled on Windows Server 2016 environments. Use PowerShell to enable IdP-initiated sign-in.

adfs4 image 15

  • Launch PowerShell as administrator.
  • Run the command set-adfsproperties –EnableIDPInitiatedSignonPage $True.
  • You can now browse to https://<adfs.domain.com>/adfs/ls/idpinitiatedsignon.aspx and sign in.

adfs4 image 16

Export token-signing certificate

adfs4 image 17

  • Launch the ADFS management console from Server Manager.

adfs4 image 18

  • Expand Service.
  • Select Certificates.
  • Right-click the Primary token-signing certificate. Select View Certificate…

adfs4 image 19

  • Select the Details tab.
  • Click Copy to File….

adfs4 image 20

  • Click Next.

adfs4 image 21

  • Select the Base-64 encoded X.509 (.CER) radio button.
  • Click Next.
  • Click Browse.

adfs4 image 22

  • Choose a location to export your token-signing certificate.
  • Name your token-signing certificate.
  • Click Save.

adfs4 image 23

  • Click Next.

adfs4 image 24

  • Click Finish.

adfs4 image 25

  • Right-click on the exported token-signing certificate.
  • Click Open with….
  • Choose Notepad.

adfs4 image 26

  • Copy the contents of your token-signing certificate

Configure Citrix Content Collaboration account

  • Sign in to your Citrix Content Collaboration account using your web browser.
  • Click Settings on the left side panel.
  • Click Admin Settings.

adfs4 image 27

  • Expand Security.
  • Click Login & Security Policy. Scroll to the bottom of page.

adfs4 image 28

adfs4 image 29

  • ShareFile Issuer / Entity ID: https://<subdomain>.sharefile.com/saml/info
  • Your IdP Issuer / Entity ID: https://<adfs>.yourdomain.com
  • X.509 Certificate: Paste contents of exported certificate from previous section
  • Login URL: https://<adfs>.yourdomain.com/adfs/ls
  • Enable Web Authentication: Yes (Check marked)
  • SP-Initiated Auth Context: User Name and Password – Minimum
  • Save your changes.

Build service provider trust

adfs4 image 30

  • Launch ADFS Management from Server Manager.

adfs4 image 31

  • Select Relying Party Trusts.
  • Click Add Relying Party Trust.

adfs4 image 32

  • Select the Claims aware radio button.
  • Click Start.

adfs4 image 33

  • Type in your Citrix Content Collaboration account’s metadata URL. Example: https://<subdomain>.sharefile.com/saml/metadata
  • You can also browse to this URL, copy the contents, and save as an .xml file if you would rather import the SAML metadata using a file. Also, you can type in this information manually by selecting the third radio button.
  • Click Next.

adfs4 image 34

  • Click Next.

adfs4 image 35

  • Click Next.

adfs4 image 36

  • Click Close.

adfs4 image 37

  • Click Add Rule….

adfs4 image 38

  • Select Send LDAP Attributes as Claims from the menu.
  • Click Next.

adfs4 image 39

  • Name your rule.
  • Select Active Directory from the Attribute store menu.
  • Select E-Mail Addresses under the first LDAP Attribute menu.
  • Select E-Mail Address from the first Outgoing Claim Type menu.
  • Click Finish.

adfs4 image 40

  • Click Add Rule….

adfs4 image 41

  • Select Transform an Incoming Claim.
  • Click Next.

adfs4 image 42

  • Name your rule.
  • Select E-Mail Address for Incoming claim type:.
  • Select Name ID for Outgoing claim type:.
  • Select Email for Outgoing name ID format:.

adfs4 image 43

  • Click Apply.
  • Click OK.

Test your configuration

Browse to your Citrix Content Collaboration account’s SAML login URL. You are now redirected to your ADFS host and asked for credentials. Sign in using credentials associated with the domain your ADFS host is providing federation services for. The email address of your AD user must match the email address of a user in Citrix Content Collaboration. If the credentials you provide to ADFS are correct and your email address matches a Citrix Content Collaboration user, you are now signed in to the Citrix Content Collaboration account associated with your email.