Product Documentation

SSO Google apps StyleBook

May 24, 2018

Google Apps is a collection of cloud computing, productivity and collaboration tools, software and products that are developed by Google. Single Sign-On (SSO) enables users to access all of their enterprise cloud applications—including administrators signing in to the admin console—by signing in one time for all services using their enterprise credentials. 

The NetScaler MAS SSO Google Apps StyleBook allows you to enable SSO for Google Apps through NetScaler instances. The StyleBook configures the NetScaler instance as a SAML identity provider for authenticating users to access Google Apps.

Enabling SSO for Google apps in a NetScaler instance using this StyleBook results in the following steps:

1. Configuring the authentication virtual server

2. Configuring a SAML IDP policy and profile

3. Binding the policy and profile to the authentication virtual server

4. Configuring an LDAP authentication server and policy on the instance

5. Binding the LDAP authentication server and policy to your authentication virtual server configured on the instance

Configuration details 

The table below lists the minimum required software versions for this integration to work successfully. The integration process should also work with higher versions of the same.

 Product   Minimum Required Version 
 NetScaler  Release 11.0, Enterprise/Platinum License

The following instructions assume that you have already created the appropriate external and/or internal DNS entries to route authentication requests to a NetScaler-monitored IP address.

Deploying SSO Google apps StyleBook configurations 

The following task assists you in deploying the Microsoft SSO Google Apps StyleBook in your business network.

To deploy SSO Google apps StyleBook

1. In NetScaler MAS, navigate to Applications > StyleBooks. The StyleBooks page displays all the StyleBooks available for your use in NetScaler MAS. Scroll down and find SSO Google Apps StyleBook. Click Create Configuration

2. The StyleBook opens as a user interface page on which you can enter the values for all the parameters defined in this StyleBook. 

3. Enter values for the following parameters:

a. Application Name. Name of the SSO Google apps configuration to deploy in your network.

b. Authentication Virtual IP address. Virtual IP address used by the AAA virtual server to which the Google apps SAML IdP policy is bound.

c. SAML Rule Expression. By default, the following NetScaler Policy (PI) expression is used: HTTP.REQ.HEADER("Referer").CONTAINS("google"). Update this field with another expression if your requirement is different. This policy expression matches the traffic to which these SAML SSO settings are applied and makes sure that the Referer header is coming from a Google domain.

4. The SAML Idp Settings section allows you to configure your NetScaler Instance as a SAML identity provider by creating the SAML IDP profile and policy that is used by the AAA virtual server created in step 3.

a. SAML Issuer Name. In this field, enter the public FQDN of your authentication virtual server. Example: "https://<NetScaler VIP>/saml/login"

b. SAML Service Provider (SP) ID. (optional) NetScaler identity provider accepts SAML authentication requests from an issuer name that matches this ID.

c. Assertion Consumer Service URL. Enter the service provider's URL where NetScaler identity provider needs to send the SAML assertions after successful user authentication. The assertion consumer service URL can be initiated at the identity provider server site or the service provider site.

d. There are other optional fields that you can enter in this section. For example, you can set the following options:

i. SAML binding profile (the default is the "POST" profile).

ii. Signature algorithm to verify/sign SAML requests/responses (default is "RSA-SHA1"). 

iii. Method to digest hash for SAML requests/responses (default is "SHA-1").

iv. Encryption algorithm (default is AES256), and other settings.

Note: Citrix recommends that you retain the default settings as these settings have been tested to work with Google Apps.

e. You can also enable User Attributes check box to enter the user details such as: 

i. Name of the user attribute

ii. NetScaler PI expression that is evaluated to extract the attribute's value

iii. User-friendly name of the attribute

iv. Select the format of the user attribute. 

These values are included in the issued SAML Assertion. You can include as many as five sets of user attributes in an Assertion issued by NetScaler using this StyleBook. 

5. In LDAP Settings section, enter the following details to authenticate Google Apps users. For domain users to be able to log on to the NetScaler instance by using their corporate email addresses, you must configure the following:

a. LDAP (Active Directory) Base. Enter the base domain name for the domain in which the user accounts reside within the Active Directory (AD) for which you want to allow authentication. For example, dc=netscaler,dc=com

b. LDAP (Active Directory) Bind DN. Add a domain account (using an email address for ease of configuration) that has rights to browse the AD tree. For example, cn=Manager,dc=netscaler,dc=com

c. LDAP (Active Directory) Bind DN Password. Enter the password of the domain account for authentication.

d. A few other fields that you need to enter in this section are as follows:

i. LDAP server IP Address that NetScaler connects to for authenticating users

ii. LDAP server's FQDN name

Note: You must specify at least one of the above two - the LDAP server IP address or the FQDN name. 

iii. LDAP server port that NetScaler connects to for authenticating users (default is 389).

iv. LDAP hostname. This is used to validate the LDAP Certificate if validation is turned on (by default, it is turned off).

v. LDAP login name attribute. The default attribute used to extract login names is "samAccountname".

vi. Other optional miscellaneous LDAP settings 

6. In SAML IdP SSL Certificate section, you can specify the details of the SSL certificate: 

a. Certificate Name. Enter the name of the SSL certificate.

b. Certificate File. Choose the SSL certificate file from the directory on your local system or on NetScaler MAS.

c. CertKey Format. Select the format of the certificate and the private-key files from the drop-down list box. The formats supported are .pem and .der file extensions.

d. Certificate Key Name. Enter the name of the certificate private key.

e. Certificate Key File. Select the file containing the private key of the certificate from your local system or from NetScaler MAS.

f. Private Key Password. If your private key file is protected by a passphrase, enter it in this field.

g. You can also enable Advanced Certificate Settings check box to enter details such as certificate expiry notification period, enable or disable the certificate expiry monitor.

7. Optionally, you can select IdP SSL CA Certificate if the SAML IdP Certificate entered above requires a CA public Certificate to be installed on NetScaler. Make sure you select "Is a CA Certificate" in the advanced settings.

8. Optionally, you can select SAML SP SSL Certificate to specify Google SSL certificate (public key) used to validate authentication requests from Google Apps (SAML SP).

9. Click Target Instances and select the NetScaler instance(s) on which to deploy this Google Apps SSO configuration. Click Create to create the configuration and deploy the configuration on the selected NetScaler instance(s).


You can also click the refresh icon to add recently discovered NetScaler instances in NetScaler MAS to the available list of instances in this window.

Note: Citrix recommends that before executing the actual configuration, you select Dry Run to visually confirm the configuration objects that are created on the target NetScaler instance(s) by the StyleBook.