Product Documentation

Citrix Content Collaboration and Endpoint Management

Enable Citrix Content Collaboration for Endpoint Management clients

When you add Citrix Content Collaboration for Endpoint Management clients to Endpoint Management, you can enable single sign-on (SSO) access to Connector data sources from Citrix Content Collaboration for Endpoint Management clients. To do so, be sure to configure the Network access policy and the Preferred VPN mode policy as described in this section.

Prerequisites

  • Citrix Endpoint Management must be able to reach your Citrix Content Collaboration subdomain. To test the connection, ping your Citrix Content Collaboration subdomain from the Endpoint Management server.
  • The time zone configured for your Citrix Content Collaboration account and for the hypervisor running Endpoint Management must be the same. If the time zone differs, SSO requests can fail because the SAML token might not reach Citrix Content Collaboration within the expected time frame. To configure the NTP server for Endpont Management 10, use the Endpoint Management command-line interface.

    Note:

    The Hyper-V host sets the time on a Linux VM to the local time zone and not UTC.

  • Log on to the Citrix Content Collaboration administrator console using a Citrix Content Collaboration administrator account and verify the SAML SSO settings in Admin > Configure Single Sign-On.
  • Download and wrap Citrix Content Collaboration for Endpoint Management clients.

Steps:

  1. In the Endpoint Management console, click Configure > Apps and then click Add.
  2. Click MDX.
  3. Type a Name and, optionally, a Description and App category for the app.
  4. Click Next and then upload the .mdx file for the Citrix Content Collaboration for Endpoint Managment client.
  5. Click Next to configure the app information and policies.

The configuration that enables SSO from Citrix Content Collaboration for Endpoint Management clients to Citrix Content Collaboration does not authenticate users to network shares or SharePoint document libraries. To enable SSO between the Secure Hub micro VPN and StorageZones Controller, complete the following policy configuration:

  • Set the Network access policy to Tunneled to the internal network.

    In this mode of operation, all network traffic from the Citrix Content Collaboration for Endpoint Mangement client is intercepted by the MDX framework and redirected through Citrix Gateway using an app-specific micro VPN.

  • Set the Preferred VPN mode policy to Secure browse.

    In this mode of tunneling, SSL/HTTP traffic from an MDX app is ended by the MDX framework, which then starts new connections to internal connections on the user’s behalf. This policy setting enables the MDX framework to detect and respond to authentication challenges issued by web servers.

Complete the Approvals and Delivery Group Assignments as needed.

Only the users in the selected delivery groups have SSO access to Citrix Content Collaboration from the Citrix Content Collaboration for Endpoint Management clients. If a user in a delivery group does not have a Citrix Content Collaboration account, Endpoint Management provisions the user in to Citrix Content Collaboration when you add the Citrix Content Collaboration for Endpoint Management client to Endpoint Management.

Endpoint Management user provisioning for Citrix Content Collaboration

User provisioning process for iOS

Provisioning for iOS image

The following procedure explains how user provisioning works for Endpoint Management 10 and iOS devices.

Note:

It is assumed that the end user has installed Secure Hub and it has been enrolled with Endpoint Management.

  1. The first check is to find out if the user is logged on to Endpoint Management. If yes, then the process continues to the next step. If no, then the end user is prompted to log on.
  2. When the user is authenticated, Endpoint Management checks if the user exists inside the Endpoint Management user database. This is the same database used in mobile productivity app controller that can be found under the ‘admin’ portal.

    To access the ‘admin’ portal in Endpoint Management 10, type https://<Endpoint-Management-address>:4443/OCA/admin. If the user exists already in the Endpoint Management database, then the process continues to the next step. If no, then the end user is automatically created.

  3. Check if this user exists on the Citrix Content Collaboration employee user database (in the cloud). If yes, then the process is complete and end users are be able to log on to Citrix Files using SSO (either through the Citrix Files MDX app or when trying to attach a file from Secure Mail).

If the user does not exist on the Citrix Content Collaboration portal, Endpoint Management sends the request to create the user immediately. There is no delay or queue for the user provisioning task.

When the user is created, users can either use the Citrix Files MDX app or attach files from Citrix Content Collaboration and no logon prompts are displayed.

User provisioning process for Android

Provisioning for Android

The following procedure explains how user provisioning works for Endpoint Management 10 and Android devices.

Note:

It is assumed that the end user has installed Secure Hub and it has been enrolled with Endpoint Management.

  1. The first check is to find out if the user is logged on to Endpoint Management. If yes, then the process continues to the next step. If no, then the end user would be prompted to log on.
  2. When the user is authenticated, Endpoint Management checks if the user exists inside the Endpoint Management user database. This is the same database used in mobile productivity app controller that can be found under the ‘admin’ portal.

    To access the ‘admin’ portal in Endpoint Management 10, type https://<Endpoint-Management-address>:4443/OCA/admin. If the user exists already in the Endpoint Management database, then the process continues to the next step. If no, then the end user is automatically created.

  3. Android users should ensure that the Citrix Files MDX app is installed on the mobile device. If yes, then the process continues to the next step. If no, then end users must install the Citrix Files app on their mobile device.
  4. Start the Citrix Files MDX app on their mobile device. This is a critical step because this triggers Endpoint Management to either run the user provisioning task or not for single sign-on to work.
  5. When the user starts the Citrix Files MDX app, check whether this user exists on the Citrix Content Collaboration employee user database (in the cloud). If yes, then the process is complete and end users are able to log on to Citrix Files using SSO (either through the Citrix Files MDX app or when trying to attach a file from Secure Mail).

If the user does not exist on the Citrix Content Collaboration portal, then Endpoint Management sends the request to create the user immediately. There is no delay or queue for the user provisioning task.

When the user is created, users can either use the Citrix Content Collaboration MDX app or attach files from Citrix Content Collaboration and no logon prompts are diplayed.

Configure SSO for Citrix Content Collaboration on Endpoint Management 10 as IdP without Citrix Gateway

Configure SAML SSO for Citrix Files MDX apps

You can use Endpoint Management along with Secure Hub to single sign-on to Citrix Files MDX-wrapped applications. In this scenario, Secure Hub obtains a SAML token for the Citrix Content Collaboration logon using Endpoint Management as an IdP.

  1. Log onto the Endpoint Management server using the URL https://<Endpoint Management>:4443
  2. Go to Configure > Settings. Expand the More node and click Content Collaboration.
  3. Type your Citrix Content Collaboration subdomain and select the delivery groups that you want to assign to the Citrix Files MDX application. Only users in the delivery groups selected here are able to use Endpoint Management for SSO. In the Citrix Content Collaboration Administrator Account Logon, type the Citrix Content Collaboration administrator account and save the settings. The Endpoint Management server talks to Citrix Content Collaboration and saves the SAML SSO settings in the Citrix Content Collaboration management console.

At this point, SAML configuration for MDX apps is configured. If you want to configure access for non-MDX Citrix Files clients such as the website, Outlook plug-in or the sync clients, configure Citrix Gateway.

Note:

Configuring Citrix Files MDX SSO also enables user provisioning in Endpoint Management. Any users that are a part of the selected roles and do not have an account in Citrix Content Collaboration will automatically be provisioned by Endpoint Management based on how they first access Citrix Content Collaboration.

Configure Citrix Gateway

The following configuration is required on Citrix Gateway to support using Endpoint Management as a SAML identity provider:

  1. Disable home page redirection.
  2. Create a Citrix Content Collaboration session policy and profile.
  3. Configure policies on the Citrix Gateway virtual server.
    1. Disable Home Page Redirection.

      You must disable the default behavior for requests that come through the /cginfra path so that the original requested internal URL is served to the user instead of the configured home page.

      • Edit the settings for the Citrix Gateway virtual server that is used for Endpoint Management logons. Go to Other Settings and clear the check box labeled Redirect to Home Page:

      Citrix Gateway 10.5

      Other settings

      1. For the Citrix Content Collaboration setting, add the internal server name and port of your Endpoint Management server. For example: xms.citrix.lab:8443.
      2. For App Controller, type the address of your Endpoint Management server as shown above. This configuration authorizes requests to the specified URL through the /cginfra path.
    2. Create a Citrix Content Collaboration session policy and request profile.

      1. In the Citrix Gateway configuration utility, choose Citrix Gateway > Policies > Session in the left navigation pane.
      2. To create a session policy: On the Policies tab, click Add… and then type Citrix Content Collaboration_Policy as the name.
      3. To create an action, click the + button. The Create Citrix Gateway Session Profile screen opens.
      4. In Name, type Citrix Content Collaboration_Profile as the session profile name.
      5. On the Client Experience tab:
        • For Home Page, type none.
        • For Session Time-out, type 1.
        • Enable Single Sign-on to Web Applications. For Credential Index, choose PRIMARY.

        Configure session profile

      6. On the Published Applications tab:
        • For ICA Proxy, select ON.
        • In Web Interface Address, type your Endpoint Management server URLs shown.
        • In Single Sign-on Domain, type your Active Directory domain name.

        Active directory name

        Note:

        When configuring the Citrix Gateway Session Profile above, the domain suffix typed into the Single Sign-On Domain field must match the Endpoint Management domain alias defined in LDAP.

      7. Click Create to finish defining the session profile.
      8. For the Citrix Content Collaboration_Policy expression, click Expression Editor.
      9. Specify the expression as shown in the screenshot, using a Value of NSC_FSRD and a Header Name of COOKIE.

      Add expression

      1. Click Done, click Create, and then click Close.

      Create session policy

    3. Configure policies on the Citrix Gateway virtual server.

      1. In the Citrix Gateway configuration utility, select Citrix Gateway > Virtual Servers in the left navigation pane.
      2. In the Details pane, click your Citrix Gateway virtual server and then click Edit.
      3. Go to Configured policies > Session policies and click Add binding.
      4. Select the Citrix Content Collaboration_Policy.
      5. Edit the auto-generated Priority number for the inserted policy so that it has the lowest number (highest priority) compared to any other policies listed. For example:

      Virtual session policy setting

    4. Click Done and then save the running Citrix Gateway configuration.

Configure SAML for non-MDX Citrix Files apps

As a result of configuring Endpoint Management with Citrix Content Collaboration account details, your Citrix Content Collaboration single sign-on settings are populated with a SAML logon URL which points to an internal Endpoint Management server address. To allow non-MDX Citrix Files apps to use Endpoint Management as a SAML IdP, you must edit that URL and also enable web authentication.

Locate the internal app name for Citrix Content Collaboration

Find the internal app name for your Citrix Content Collaboration configuration using the following steps.

  1. Log on to the Endpoint Management administrator tool using the URL https://<Endpoint Management>:4443/OCA/admin/ and select the Configuration view:

    Note:

    The OCA in the above mentioned URL is case sensitive and must be in uppercase.

    Login credentials

  2. Select the Applications > Applications node and note the Application Name for the app whose Display Name is “Content Collaboration”.

Change single sign-on settings

  1. Log on to your account (https://subdomain.sharefile.com) as a Citrix Content Collaboration administrator.

  2. In the Citrix Files web interface, navigate to Admin Settings > Security > Login & Security Policy and scroll down to the Single Sign-On settings.

  3. Edit the Login URL. Here is a sample Login URL that is populated as a result of the Endpoint Management configuration:

    https://xms.citrix.lab/samlsp/websso.do?action=authenticateUser&app=ShareFile_SAML_SP&req type=1

    Sample login url

    1. Insert the external FQDN of the Citrix Gateway virtual server plus /cginfra/https/ before the Endpoint Management FQDN and :8443 after the FQDN.

      For example: https://nsgateway.acme.com/cginfra/https/xms.citrix.lab:8443/samlsp/websso.do?action=authe nticateUser&app=ShareFile_SAML_SP&reqtype=1

    2. Change the parameter &app=Citrix Content Collaboration_SAML_SP to use the internal name of the Citrix Content Collaboration application that you determined. The internal name is Citrix Content Collaboration_SAML by default, but with each change to your configuration the internal name changes to append a number (Citrix Content Collaboration_SAML2, Citrix Content Collaboration_SAML3, and so on).

      https://nsgateway.acme.com/cginfra/https/xms.citrix.lab:8443/samlsp/websso.do?action=authenti cateUser&app=ShareFile_SAML&reqtype=1

    3. Add &nssso=trueto the end of the URL. For example:

    https://nsgateway.acme.com/cginfra/https/xms.citrix.lab:8443/samlsp/websso.do?action=authenti cateUser&app=ShareFile_SAML&reqtype=1&nssso=true

    Important:

    Each time you edit or recreate the Citrix Files app, the internal application name is updated with a number appended to the name. You must also update the Login URL in the Citrix Content Collaboration website to reflect the updated application name. The example shows how the Login URL changes when the internal application name changes from “Content Collaboration_SAML” to “Content Collaboration_SAML2”

  4. Under Optional Settings, click the Enable Web Authentication check box. optional settings
  5. Click Save.

Validate your configuration

  1. Go to https://subdomain.sharefile.com/saml/login.

    • You are then redirected to the Citrix Gateway logon form.
  2. Log on by using user credentials that are valid for the Citrix Gateway and Endpoint xen environment you configured.

    • Your Citrix Content Collaboration folders at subdomain.sharefile.com display.