Citrix Content Collaboration single sign-on configuration guide for dual identity providers

This document helps with the configuration of utilizing both Citrix Endpoint Management and Active Directory Federated Services (ADFS) as the Identity Provider (IdP) for a single Citrix Content Collaboration account. The resulting configuration allows the token signing certificate on the ADFS server to be the same as the SAML certificate on the Citrix Endpoint Management server. This provides a single Citrix Content Collaboration account to:

  • Use Citrix Endpoint Management as the IdP for MDX-wrapped apps. Providing a true single sign-on (SSO) experience from a mobile device using Citrix Files MDX applications.
  • Use ADFS as the SAML IdP for SSO to webapps.

Prerequisites

  • Citrix Endpoint Management 10.x server with fully functioning single sign-on for MDX configured to the Citrix Content Collaboration account.
  • ADFS installed and configured within the infrastructure.
  • Access to an administrator account within Citrix Content Collaboration with the ability to configure single sign-on.

Preparing the ADFS Token Signing Certificate

When configuring ADFS for SSO to Citrix Content Collaboration, it is required to upload the ADFS token signing certificate to the Citrix Content Collaboration control panel without the private key. ADFS generates a self-signed certificate to be used for token signing and token decrypting with a 1-year expiration. However, the self-signed certificate does contain a private key.

At the one-year mark, the self-signed certificate is renewed using Automatic Certificate Rollover 15 days before expiration and becomes the primary certificate. This causes all existing SSO trust relationships to fail. For this configuration, the SAML certification from the Citrix Endpoint Management console is exported with an expiration of 3 years. The certificate validity period is customizable and mitigates the need to renew the token signing certificate at the 1-year mark.

Generate the SAML certificate

  1. Sign in to the Citrix Gateway GUI.
  2. Navigate to Traffic Management > SSL.
  3. Under Getting Started section, select Root-CA Certificate Wizard.

    dual IdP 1

You are now prompted to create the private key.

  1. In the Key Filename field, provide a name for your key.
  2. Key Size, 2048.
  3. Public Exponent Value, 3.
  4. Click Create to create the key.

    dual IdP 2

The next step is to create the Certificate Signing Request (CSR).

  1. In the Request File Name field, enter a name for the CSR.
  2. The Key Filename and PEM format are pre-populated.
  3. Set Digest Method to SHA256.
  4. In Distinguished Name Fields, provide information about your organization.
  5. In Attribute Fields, a Challenge Password is not needed. However, the Company Name can be added.
  6. Click Create to complete the CSR Request.

    dual IdP 3 dual IdP 4

The final step is to create the SAML certificate.

  1. In the Certificate File Name field, enter the name of your certificate.
  2. The Certificate Format is pre-populated with PEM.
  3. The Certificate Request File Name reflects the CSR you created in the previous step.
  4. The Key Format defaults to PEM.
  5. Specify the Validity Period (in days) you want the certificate to be valid for. In this example, the created certificate is a 3 year certificate, so enter 1095.
  6. The Key Filename is pre-populated from the first step.
  7. Click Create to create the certificate.

    dual IdP 5

  8. After creating the certificate, you can exit the Wizard as you do not need to install the certificate on Citrix Gateway.
  9. Click Cancel and click YES to confirm you would like to return back to the main SSL GUI screen.

Export the SAML certificate

You now need to export the newly created certificate and key off Citrix Gateway for use on the Citrix Endpoint Management server and on ADFS. For Citrix Endpoint Management, you need the saml_dualidp.cer file and saml_dualidp.key file created in the previous steps, as the cert and key are already properly formatted for Citrix Endpoint Management. Follow the steps to save the files to a location we can then use to upload them to your Citrix Endpoint Management server when replacing its built-in SAML certificate.

  1. In Citrix Gateway, under Traffic Management > SSL, under Tools, click Manage Certificates / Keys / CSRs.
  2. From the Manage Certificates page, click Date Modified, which brings the newest files to the top. You now see the 3 newly created files from the previous steps. If you do not see them, you can show more than 25 items per page.

    dual IdP 6

  3. Select the saml_dualidp.cer file and choose Download. Save to a location of your choice.
  4. Follow the previous step for the saml_dualidp.key file.
  5. Click Back to return to the previous page.

Next, export the certificate and key in a file format that the ADFS server understands.

  1. Under the same Tools section as earlier, select the option to Export PKCS#12.
  2. In the Choose File field, enter saml_dualidp.pfx.
  3. In the Certificate File Name field, select Choose File, Date Modified, and select the saml_dualidp.cer file. Click Open.
  4. In the Key Filename field, select Choose File, Date Modified, and select the saml_dualidp.key file. Click Open.
  5. Provide an Export Password.
  6. Provide the PEM Passphrase.
  7. Click OK to finish the export.

Now you need to copy the .pfx file off Citrix Gateway and onto a network location.

  1. From the Tools menu once again, select the option to Manage Certificates / Keys / CSRs.
  2. Select the newly created saml_dualidp.pfx file, and choose Download.
  3. Save the file somewhere locally accessible.
  4. Close the windows in Citrix Gateway.

The SAML certificate creation process is complete.

Upload newly created token signing certificate to ADFS

The first step is to disable certificate rollover on the ADFS server.

  1. Create a remote connection to your ADFS server.
  2. By default, ADFS enables AutoCertificateRollover to renew the self-signed certificate at the 1-year mark. This feature must be disabled to upload the newly created token signing certificate.
  3. Run PowerShell as Administrator on the ADFS server.
  4. Type: Get-ADFSProperties.
  5. To disable AutoCertificateRollover: Set-ADFSProperties -AutoCertificateRollover $false

You need to then import the previously exported saml_dualidp.pfx file onto the ADFS server so we can use it as the token signing certificate.

  1. On the ADFS server, right-click, Start > Click Run > Type mmc, and select enter to open a Snap-in.
  2. Click File > Add/Remove Snap-in.
  3. From the available snap-ins section, select Certificates, then click Add.
  4. Select Computer Account, click Next.
  5. Select Local Computer and then Finish, click OK.
  6. Under Console Root, Expand Certificates > Personal > Certificates.
  7. Right-click the Certificates folder and select All Tasks > Import.
  8. From the Welcome screen, click Next.
  9. Browse to the saml_dualidp.pfx file you saved earlier, click Open.
  10. Select Next, type the password for the private key, select Next again.
  11. Select Place all certificates in the following store, Personal and click Next.
  12. Click Finish to complete the import and close the MMC Snap-in.

Now you need to change the token signing certificate in ADFS.

  1. On the ADFS server, from the Server Manager Dashboard, select Tools > ADFS Management.
  2. On the left hand side of the ADFS Management Console, expand Service > Certificates.
  3. Under the Actions menu, select Add Token-Signing Certificate, and select the newly imported token signing certificate.
  4. The newly added token signing certificate is added as a secondary certificate. You must make it the primary.
  5. Expand Service and then select Certificates.
  6. Click the Secondary token signing certificate.
  7. In the Actions pane on the right, select Set As Primary. Click Yes at the confirmation prompt.

Citrix Endpoint Management configuration

To use the same certificate on Citrix Endpoint Management, you only need to perform two actions.

Backup Citrix Endpoint Management SAML certificate

  1. Sign into the Citrix Endpoint Management server, click the gear icon towards the top right, then under Settings, select Certificates.
  2. Highlight the SAML certificate, then click Export.
  3. Choose to also export the private key, then click OK.
  4. Store the certificate in a safe location.

Install new SAML certificate

  1. Sign into the Citrix Endpoint Management server, click the gear icon, then under Settings click Certificates.
  2. Click Import, then select the following options:
    • Import: Certificate
    • Use as: SAML
    • Certificate import: Browse your workstation or network for the previously exported saml_dualidp.cer file.
    • Private key file: Browse your workstation for the previously exported saml_dualidp.key file.
    • Password: enter the password for the private key.
    • Description: enter enough detail for others to know its function.
  3. Click Import to complete.

    dual IdP 7

  4. On the Citrix Endpoint Management server, click Configure, then ShareFile.
  5. If you have a previous configuration, click Save on the bottom right of the screen. This step updates the Citrix Content Collaboration account with the X.509 certificate that has been created in the previous steps. It also overrides the current SSO configuration settings, which are changed in the steps outlined in the next section.
  6. If Citrix Content Collaboration has not yet been configured, in the Domain field, enter your Citrix Content Collaboration account.
  7. Select a delivery group that has access to the Citrix Files MDX application.
  8. Provide your Citrix Content Collaboration user name. This is a local administrative user account.
  9. Enter the Citrix Content Collaboration password (not your Active Directory password).
  10. Leave User account provisioning OFF (especially if you are using the User Management Tool).
  11. Click Save to complete the Citrix Content Collaboration configuration on Citrix Endpoint Management.

    dual IdP 8

Citrix Content Collaboration single sign-on configuration check

Once both Citrix Endpoint Management and ADFS have been configured for Citrix Content Collaboration, follow the steps below to validate the SSO settings.

  1. Log into your Citrix Content Collaboration account using the web UI, click Admin, then Configure Single Sign-on page.
  2. Issuer/Entity ID: this needs to be identical to the Identifier Name within the ADFS configuration.
  3. Login URL: Login URL to ADFS (example: https://adfs.company.com/adfs/ls).
  4. Logout URL: Logout URL to ADFS (example: https://adfs.company.com/adfs/ls/?wa=wsignout1.0). This needs to be added as a logout point on ADFS, if not done so already.
  5. Enable Web Authentication: Yes
  6. SP-Initiated Auth Context: Select the option User Name and Password for Forms Authentication, or Integrated Authentication (according to what your ADFS server is configured with).

    dual IdP 9

Testing

Re-enroll your device to Citrix Endpoint Management, download the app and check if MDX SSO is working. You can also perform testing using SP initiated authentication: https://[subdomain].sharefile.com/saml/login.