SSO Office 365 StyleBook

Microsoft™ Office 365 is a suite of cloud-based productivity and collaboration applications provided by Microsoft on a subscription basis. It includes Microsoft’s popular server-based applications such as Exchange, SharePoint, Office, and Skype for Business. Single Sign-On (SSO) enables users to access all their enterprise cloud applications:

  • Including administrators signing in to the admin console
  • One-time sign on for all Microsoft Office 365 services using their enterprise credentials.

The SSO Office 365 StyleBook allows you to enable SSO for Microsoft Office 365 through NetScaler instances. You can now configure SAML authentication with NetScaler as the SAML Identity Provider (IdP) and Microsoft Office 365 as the SAML service provider.

Enabling SSO for Microsoft Office 365 in a NetScaler instance using this StyleBook involves the following steps:

  1. Configuring the authentication virtual server
  2. Configuring a SAML IDP policy and profile
  3. Binding the policy and profile to the authentication virtual server
  4. Configuring an LDAP authentication server and policy on the instance
  5. Binding the LDAP authentication server and policy to your authentication virtual server configured on the instance.

The table lists the minimum required software versions for this integration to work successfully. The integration process should also work with higher versions of the same.

Product Minimum Required Version
NetScaler 11.0, Enterprise/Platinum License

The following instructions assume that you have already created the appropriate external and internal DNS entries. These entries are essential to route authentication requests to a NetScaler-monitored IP address.

The following instructions assist you in implementing the SSO Office 365 StyleBook in your business network.

To deploy SSO Microsoft Office 365 StyleBook

  1. In NetScaler MAS, navigate to Applications > StyleBooks. The StyleBooks page displays all the StyleBooks available for your use in NetScaler MAS. Scroll down and find SSO Office 365 StyleBook. Click Create Configuration.
  2. The StyleBook opens as a user interface page on which you can enter the values for all the parameters defined in this StyleBook.
  3. Enter values for the following parameters:
    1. Application Name. Name of the SSO Microsoft Office 365 configuration to deploy in your network.
    2. Authentication Virtual IP address. Virtual IP address to be used by the AAA virtual server to which the Microsoft Office 365 SAML IdP policy is bound.

    localized image

  4. In SSL Certificates Settings section, enter the names of the SSL certificate and the certificate key.

    Note

    This is not the Office 365 service provider certificate. This SSL certificate is bound to the virtual authentication server on the NetScaler instance.

  5. Select the respective files from your local storage folder. You can also type in the private key password to load encrypted private keys in PEM format.

    localized image

  6. You can also enable Advanced Certificate Settings check box. Here you can enter details such as certificate expiry notification period, enable or disable the certificate expiry monitor.

  7. Optionally, you can select SSL CA Certificate for the authentication virtual IP check box if the SSL certificate requires a CA public certificate to be installed on NetScaler. Make sure you choose “Is a CA Certificate” in the above Advanced Certificate Settings section.

  8. In LDAP Settings for SSO Office 365 section, enter the following details to authenticate Office 365 users. To allow domain users to log on to the NetScaler instance by using their corporate email addresses, configure the following:

    • LDAP (Active Directory) Base. Enter the base domain name for the domain in which the user accounts reside within the Active Directory (AD) to allow authentication. For example, dc=netscaler,dc=com

    • LDAP (Active Directory) Bind DN. Add a domain account (using an email address for ease of configuration) that has rights to browse the AD tree. For example, cn=Manager,dc=netscaler,dc=com

    • LDAP (Active Directory) Bind DN Password. Enter the password of the domain account for authentication.

    • A few other fields that you need to enter in this section are as follows:

      1. LDAP server IP Address that NetScaler connects to for authenticating users.

      2. LDAP server’s FQDN name.

        Note: You must specify at least one of the above two - the LDAP server IP address or the FQDN name.

      3. LDAP server port that NetScaler connects to for authenticating users (default is 389). LDAPS uses 636.

      4. LDAP hostname. The hostname is used to validate the LDAP Certificate if validation is turned on (by default, it is turned off).

      5. LDAP login name attribute. The default attribute used to extract login names is “samAccountname.”

      6. Other optional miscellaneous LDAP settings.

        localized image

  9. In SAML IdP Certificate section, you can specify the details of the SSL certificates used for SAML assertion.

    • Certificate Name. Enter the name of the SSL certificate.

    • Certificate File. Choose the SSL certificate file from the directory on your local system.

    • CertKey Format. Select the format of the certificate and the private-key files from the drop-down list box. The formats supported are .pem and .der file extensions.

    • Certificate Key Name. Enter the name of the certificate private key.

    • Certificate Key File. Select the file containing the private key of the certificate from your local system.

    • Private Key Password: Type in the passphrase that protects your private key file.

    You can also enable Advanced Certificate Settings check box. Here you can enter details such as certificate expiry notification period, enable or disable the certificate expiry monitor.

    localized image

  10. Optionally, you can select SAML IdP CA Certificate if the SAML IdP certificate entered above requires a CA public certificate to be installed on NetScaler. Make sure you select “Is a CA Certificate” in the above Advanced Certificate Settings section.

  11. In the SAML SP Certificate section, enter the following details for the Office 365 SSL public certificate. This certificate is used by the NetScaler instance to verify incoming SAML authentication requests.

    • Certificate Name. Type the name of the SSL certificate.

    • Certificate File. Choose the SSL certificate file from the directory on your local system.

    • CertKey Format. Select the format of the certificate and the private-key files from the drop-down list box. The formats supported are .pem and .der file extensions.

    • You can also enable Advanced Certificate Settings check box. Here you can enter details such as certificate expiry notification period, enable or disable the certificate expiry monitor.

      localized image

    . The SAML Idp Settings section allows you to configure your NetScaler Instance as a SAML identity provider by creating the SAML IDP profile and policy that is used by the AAA virtual server created in step 3.

    • SAML Issuer Name**. In this field, type the public FQDN of your authentication virtual server. Example: https://<NetScaler_VIP_Address\>/saml/login

    • Name Identifier Expression. Type in the NetScaler expression that is evaluated to extract the SAML NameIdentifier sent in the SAML assertion. Example: "HTTP.REQ.USER.ATTRIBUTE(2).B64ENCODE"

    • Signature algorithm: Select the algorithm to verify/sign SAML requests/responses (default is “RSA-SHA256”).

    • Digest Method. Select the method to digest hash for SAML requests/responses (default is “SHA256”).

    • Audience name. Type in the entity name or URL that represents the service provider (Microsoft Office 365).

    • SAML Service Provider (SP) ID. (optional) NetScaler identity provider accepts SAML authentication requests from an issuer name that matches this ID.

    • Assertion Consumer Service URL. Enter the service provider’s URL where NetScaler identity provider needs to send the SAML assertions after successful user authentication. The assertion consumer service URL can be initiated at the identity provider server site or the service provider site.

    • There are other optional fields that you can enter in this section. For example, you can set the following options:

      1. SAML attribute name. Name of user attribute sent in SAML Assertion.

      2. SAML attribute friendly name. Friendly Name of the user attribute sent in SAML Assertion.

      3. PI expression for SAML attribute. By default, the following NetScaler Policy (PI) expression is used: HTTP.REQ.USER.ATTRIBUTE(1).  This field specifies the first user attribute sent from the LDAP server (mail) as the SAML authentication attribute.

      4. Select the format of the user attribute.

      These values are included in the issued SAML Assertion.

    Tip

    Citrix recommends that you retain the default settings as these settings have been tested to work with Microsoft Office 365 apps.

    localized image

  12. Click Target Instances and select the NetScaler instance(s) on which to deploy this Microsoft Office 365 SSO configuration. Click Create to create the configuration and deploy the configuration on the selected NetScaler instance(s).

    localized image

    Tip

    Citrix recommends that before executing the actual configuration, you select Dry Run to view the configuration objects that are created on the target NetScaler instances by the StyleBook.

SSO Office 365 StyleBook