Upload
jose-rosario
View
191
Download
3
Embed Size (px)
Citation preview
CA SiteMinder - Citrix Online [SaaS Partner]
SAML 2.0 Federation Run Book
Legal Notice 2
Legal Notice This Documentation, which includes embedded help systems and electronically distributed materials,
(hereinafter referred to as the Documentation) is for your informational purposes only and is subject to
change or withdrawal by CA at any time.
This Documentation may not be copied, transferred, reproduced, disclosed, modified or duplicated, in
whole or in part, without the prior written consent of CA. This Documentation is confidential and proprietary
information of CA and may not be disclosed by you or used for any purpose other than as may be
permitted in (i) a separate agreement between you and CA governing your use of the CA software to
which the Documentation relates; or (ii) a separate confidentiality agreement between you and CA.
Notwithstanding the foregoing, if you are a licensed user of the software product(s) addressed in the
Documentation, you may print or otherwise make available a reasonable number of copies of the
Documentation for internal use by you and your employees in connection with that software, provided that
all CA copyright notices and legends are affixed to each reproduced copy.
The right to print or otherwise make available copies of the Documentation is limited to the period during
which the applicable license for such software remains in full force and effect. Should the license terminate
for any reason, it is your responsibility to certify in writing to CA that all copies and partial copies of the
Documentation have been returned to CA or destroyed.
TO THE EXTENT PERMITTED BY APPLICABLE LAW, CA PROVIDES THIS DOCUMENTATION AS IS
WITHOUT WARRANTY OF ANY KIND, INCLUDING WITHOUT LIMITATION, ANY IMPLIED
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
NONINFRINGEMENT. IN NO EVENT WILL CA BE LIABLE TO YOU OR ANY THIRD PARTY FOR ANY
LOSS OR DAMAGE, DIRECT OR INDIRECT, FROM THE USE OF THIS DOCUMENTATION,
INCLUDING WITHOUT LIMITATION, LOST PROFITS, LOST INVESTMENT, BUSINESS
INTERRUPTION, GOODWILL, OR LOST DATA, EVEN IF CA IS EXPRESSLY ADVISED IN ADVANCE
OF THE POSSIBILITY OF SUCH LOSS OR DAMAGE.
The use of any software product referenced in the Documentation is governed by the applicable license
agreement and such license agreement is not modified in any way by the terms of this notice.
The manufacturer of this Documentation is CA.
Provided with Restricted Rights. Use, duplication or disclosure by the United States Government is
subject to the restrictions set forth in FAR Sections 12.212, 52.227-14, and 52.227-19(c) (1) - (2) and
DFARS Section 252.227-7014(b) (3), as applicable, or their successors.
Copyright 2012 CA. All rights reserved. All trademarks, trade names, service marks, and logos
referenced herein belong to their respective companies.
Support 3
Support
This document is produced by FuGen Solutions Inc.(www.fugensolutions.com) who can be reached at
[email protected], on behalf of CA Technologies Inc.(www.ca.com)
Contact CA Technologies
Contact CA Support
For your convenience, CA Technologies provides one site where you can access the information that you
need for your Home Office, Small Business, and Enterprise CA Technologies products. At
http://ca.com/support, you can access the following resources:
Online and telephone contact information for technical assistance and customer services
Information about user communities and forums
Product and documentation downloads
CA Support policies and guidelines
Other helpful resources appropriate for your product
Providing Feedback About Product Documentation
If you have comments or questions about CA Technologies product documentation, you can send a
message to [email protected] or [email protected]
Contents 4
Contents
Legal Notice .................................................................................................................................................. 2
Support .......................................................................................................................................................... 3
Contents ........................................................................................................................................................ 4
Chapter 1: SaaS Partner Introduction ........................................................................................................ 6
Overview ..................................................................................................................................................... 6
Partnership Process ................................................................................................................................... 6
Prerequisites ........................................................................................................................................... 6
Target Citrix Application .......................................................................................................................... 7
Chapter 2: Configuring CA SiteMinder (12.5) as Identity Provider ......................................................... 8
Configure Identity Provider and Service Provider Entities ......................................................................... 8
Local Entity Creation ............................................................................................................................... 8
Remote Entity Creation ........................................................................................................................... 9
Configure Federation Partnership between CA SiteMinder (IDP) & Citrix (SP) .................................... 10
Configure Partnership ........................................................................................................................... 10
Federation Users .................................................................................................................................. 11
Assertion Configuration......................................................................................................................... 11
SSO and SLO ....................................................................................................................................... 12
Configure Signature and Encryption ..................................................................................................... 13
Partnership Activation ........................................................................................................................... 14
Chapter 3: Configuring Service Provider ................................................................................................ 15
Enabling federation at Citrix end .............................................................................................................. 15
Configure SAML 2.0 SSO in Citrix ........................................................................................................ 15
Chapter 4: Federation Testing .................................................................................................................. 17
Federation Testing .................................................................................................................................... 17
Identity Provider Initiated ...................................................................................................................... 17
Chapter 5: Exception Handling ................................................................................................................. 19
Exception Cases ....................................................................................................................................... 19
When SiteMinder Partnership is Inactive .............................................................................................. 19
When the Assertion Consumer Service URL is given wrong in SiteMinder side.................................. 19
When SiteMinder Authenticated User who is not in Citrix trying to login through SiteMinder .............. 20
SiteMinder User who doesnt have desired attributes in the user store ............................................... 21
User Email ID is not matching with the data at the Citrix ...................................................................... 21
Change of Service Provider Entity ID in the SiteMinder ....................................................................... 22
Contents 5
Change of Identity Provider Entity ID in SiteMinder ............................................................................. 23
Change of Audience Field value to some other value .......................................................................... 23
Change of Name ID Format values ...................................................................................................... 24
Change of Name ID Format .................................................................................................................. 24
Expired Certificate on SiteMinder Side ................................................................................................. 25
Chapter 6: Summary .................................................................................................................................. 27
Chapter 1: SaaS Partner Introduction 6
Chapter 1: SaaS Partner Introduction
This section contains the following topics:
Overview (see page 6)
Partnership Process (see page 6)
Prerequisites
Target Citrix Application
Overview
The scope of the document is to provide the necessary steps to configure the federation
partnership to achieve SSO (Single-Sign-On) between CA SiteMinder 12.5, acting as the
Identity Provider (IDP), and Citrix Online acting as the Service Provider (SP).
Partnership Process
The partnership creation for each partner involves the following steps:
1. Installing and configuring the prerequisites
2. Configuring SiteMinder as an Identity Provider
3. Configuring the Service Provider
4. Testing the Federated SSO
Prerequisites
Installation of CA SiteMinder 12.5 Suite
Configuration and testing of Authentication store and Session store
Creation of Signed Certificate by a well know CA such as VeriSign, Entrust,
Thawte or Go Daddy for Identity Provider Digital Signature
Important! - Protect Identity Provider Authentication URL using CA SiteMinder
12.5
Chapter 1: SaaS Partner Introduction 7
Identity Provider Authentication URL is protected by creating following objects:
Authentication Scheme
Domain
Realm
Rule &
Policies
Notes: Protecting the Authentication URL ensures that a user requesting a protected
federated resource is presented with an authentication challenge if they do not have a
SiteMinder session at the Identity Provider.
Tenant environment at Citrix with Partner Login URL -
https://www.citrix.com/welcome.html?resource=%2Faccount
Target Citrix Application
The following service of Citrix Application has been tested under desktop browser for
federation using CA SiteMinder 12.5 as Identity Provider.
Citrix GoToMeeting
Citrix GoToWebinar
Citrix GoToTraining
Citrix GoToMyPC
Citrix ShareFile
Citrix GoTo Assist
Chapter 2: Configuring CA SiteMinder (12.5) as Identity Provider 8
Chapter 2: Configuring CA SiteMinder (12.5) as Identity Provider
This section contains the following topics:
Configure Identity Provider and Service Provider Entities (see page 8)
Configure Federation Partnership between CA SiteMinder (IDP) & Citrix (SP) (see page
12)
Configure Identity Provider and Service Provider Entities
Login to CA SiteMinder and get to Federation -> Partnership Federation -> Entity ->
Create Entity
Local Entity Creation
Configure Local Identity Provider Entity with following details:
o Entity Location Local
o Entity Type SAML2 IDP
o Entity ID Any (in this example https://ca-idp.fugen.com/)
o Entity Name Any (Relevant name)
o Description Any (Relevant description)
o Base URL Will be pre-populated
o Signing Private Key Alias Select the correct private key alias
o Signed Authentication Requests Required No
o Supported NameID format Email Address
Chapter 2: Configuring CA SiteMinder (12.5) as Identity Provider 9
Remote Entity Creation
Configure Remote Service Provider Entity by selecting Create Entity
Note: For Citrix Service Provider details (Entity ID and ACS URL) contact Citrix Support
Team.
Create Citrix Remote Entity with following details
o Entity Location Remote
o New Entity Type SAML2 SP
o Entity ID https://login.citrixonline.com/saml/sp
o Entity Name Any (Relevant name)
o Description Any (Relevant description)
o Assertion Consumer Service URL -
https://login.citrixonline.com/saml/global.gotomeeting.com/acs
o Authentication Request No
o Supported NameID Format Email address
Chapter 2: Configuring CA SiteMinder (12.5) as Identity Provider 10
Configure Federation Partnership between CA SiteMinder (IDP) & Citrix (SP)
To create Partnership Get to Federation -> Partnership Federation -> Create Partnership (SAML 2
IDP > SP)
Configure Partnership
Add Partnership Name Any (Relevant Name)
Description Any (Relevant description)
Local IDP ID Select Local IDP ID (e.g. https://ca-idp.fugen.com/)
Remote SP ID Select Remote SP ID
Base URL Will be pre-populated
Skew Time Any
User Directories and Search Order Select required Directories in required search
order. Proceed to Next Page
Chapter 2: Configuring CA SiteMinder (12.5) as Identity Provider 11
Federation Users
Configure Federation Users Accept default values
Assertion Configuration
Name ID Format Email Address.
Name ID Type User Attribute
Value Should be the name of the user attribute containing the email address. In this
example, the name is 'mail'
Chapter 2: Configuring CA SiteMinder (12.5) as Identity Provider 12
SSO and SLO
Add Authentication URL
SSO Binding via HTTP-Post
Audience https://login.citrixonline.com/saml/sp
Transaction Allowed Both
Assertion Consumer Service URL
https://login.citrixonline.com/saml/global.gotomeeting.com/acs
Chapter 2: Configuring CA SiteMinder (12.5) as Identity Provider 13
Configure Signature and Encryption
Signing Private Key Alias Check if correct Private Key Alias selected
Chapter 2: Configuring CA SiteMinder (12.5) as Identity Provider 14
Confirm the values and finish Partnership
Partnership Activation
Activate the created Partnership
Chapter 3: Configuring Service Provider 15
Chapter 3: Configuring Service Provider
This section contains the following topics:
Configure SAML 2.0 SSO in Citrix (see page 15)
Enabling federation at Citrix end
Configure SAML 2.0 SSO in Citrix
Follow the steps given below to configure the SAML2.0 SSO in Citrix
Login to Citrix (http://login.citrixonline.com/saml/settings.html) with appropriate
credentials (for Credentials contact Citrix Support team)
Under SAML 2.0 single sign-on page
o Enter the Identity Provider SSO URL
o Upload the Verification certificate
o Save the changes
Chapter 3: Configuring Service Provider 16
Chapter 4: Federation Testing 17
Chapter 4: Federation Testing
This section contains the following topics:
Federation Testing (see page 17)
Identity Provider initiated
Federation Testing
In the case of Citrix, federation scenario can be run in Identity Provider initiated Scenario
alone
Identity Provider Initiated
Access URL https://ca-
idp.fugen.com/affwebservices/public/saml2sso?SPID=https://login.citrixonline.com/sa
ml/sp
User is challenged with authentication screen by Identity Provider
After successful authentication, the Identity Provider user will be directed to the Citrix
home page.
Chapter 4: Federation Testing 18
Chapter 5: Exception Handling 19
Chapter 5: Exception Handling
This section contains the following exceptions:
When SiteMinder Partnership is Inactive (see page 19)
When the Assertion Consumer Service URL is given wrong in the SiteMinder side (see page 20)
When SiteMinder Authenticated User who is not in the Citrix trying to login through SiteMinder (see page 20)
SiteMinder user who doesnt have desired attributes in the user store (see page 21)
User Email ID is not matching with the data at the Citrix (see page 22)
Change of Service Provider Entity ID in the SiteMinder (see page 22)
Change of Identity Provider Entity ID in the SiteMinder (see page 23)
Change of Audience Field value to some other value (see page 23)
Change of Name ID Format values (see page 24)
Change of Name ID Format (see page 25)
Expired Certificate on SiteMinder Side (see page 26)
Exception Cases
Following are the exceptions cases.
When SiteMinder Partnership is Inactive
When SiteMinder Partnership is Inactive or Defined, following error appears on browser
When the Assertion Consumer Service URL is given wrong in SiteMinder side
Default Assertion Consumer Service URL in the Citrix
https://login.citrixonline.com/saml/global.gotomeeting.com/acs
Chapter 5: Exception Handling 20
Test Assertion Consumer Service URL given in SiteMinder https://
citrixonline.com/saml/acs
Result Authenticates at the Identity Provider side and gives following error
When SiteMinder Authenticated User who is not in Citrix trying to login through SiteMinder
This is a user that is authenticated to SiteMinder but not provisioned to Citrix.
UserID used pptester
Result After Authentication following error page appears at Citrix side.
Chapter 5: Exception Handling 21
Logs Following log information can be found in FWSTrace.log
[03/18/2013][03:08:30][][][][][][][][][IsOk? Yes, Return 0 responses with 1 attributes
added.][][][][][][][][][][][]
[03/18/2013][03:08:30][s1/r72][][][][pptester][][][][Evaluating OnAccessAccept policy in the
realm ][][samlsp:fugencloud-citrixsp_az][][][][][][][][][uid=PPtester,ou=People,ou=caidp
users,o=caidp.com]
[03/18/2013][03:08:30][][][][][pptester][][][][Start of user policy analysis for
realm.][][samlsp:fugencloud-citrixsp_az][][][][][][][][][uid=PPtester,ou=People,ou=caidp
users,o=caidp.com]
SiteMinder User who doesnt have desired attributes in the user store
UserID tuser
Email id attribute which is the NameID Format used in the Partnership is removed and
tested for Federated Login
Result After Authentication, following error page appears.
User Email ID is not matching with the data at the Citrix
UserID tuser
Default email [email protected]
Changed email [email protected]
Result Following error message appears on browser
Chapter 5: Exception Handling 22
Change of Service Provider Entity ID in the SiteMinder
Original Service Provider Entity ID: https://login.citrixonline.com/saml/sp
Changed Service Provider Entity ID: https://login.citrixonlinechange.com/saml/sp
Result Following error message appears on internet explorer browser
Logs Following log information can be found in FWSTrace.log file.
[03/18/2013][13:27:21][1160][2080][9c2d81d4-3787e659-a8dbdda1-b301542e-2ddb2e62-
d23][SSO.java][processRequest][Transaction with ID: 9c2d81d4-3787e659-a8dbdda1-
b301542e-2ddb2e62-d23 failed. Reason: NO_PROVIDER_INFO_FOUND]
[03/18/2013][13:27:21][1160][2080][9c2d81d4-3787e659-a8dbdda1-b301542e-2ddb2e62-
d23][SSO.java][processRequest][No SAML2 provider information found for SP
https://login.citrixonline.com/saml/sp.]
[03/18/2013][13:27:21][1160][2080][9c2d81d4-3787e659-a8dbdda1-b301542e-2ddb2e62-
d23][SSO.java][processRequest][Ending SAML2 Single Sign-On Service request
processing with HTTP error 400]
Chapter 5: Exception Handling 23
Change of Identity Provider Entity ID in SiteMinder
Original Identity Provider Entity ID: https://ca-idp.fugen.com/
Changed Identity Provider Entity ID: https://ca-idp.fugenportal.com/
Result Federated login works as expected without any impact due to new Identity
Provider Entity ID.
Change of Audience Field value to some other value
Original Audience https://login.citrixonline.com/saml/sp
Changed Audience https://login.citrixonlineportal.com/saml/sp
Result Following error message appears on browser
Logs Following log information can be found in FWSTrace.log file.
[email protected] https://login.citrixonline.com/saml/sp https://login.citrixonlineportal.com/saml/sp
Chapter 5: Exception Handling 24
Change of Name ID Format values
Original NameID mail
Changed NameID uid
UID tuser
Result Following error appears on browser.
Logs Following log information can be found in FWSTrace.log file
tuser
Change of Name ID Format
Name ID Format Chosen: Transient Identifier
Result Following error appears on browser.
Chapter 5: Exception Handling 25
Logs Following log information can be found in FWSTrace.log file
_03d5fe0084fc99f80cb26de0fe8539f806a3
Expired Certificate on SiteMinder Side
Condition When SiteMinder signing certificate is expired.
Log File Information appears to be like this
https://ca-
idp.fugen.com/
Error Signing Assertion.
Chapter 5: Exception Handling 26
Message that appears on browser
Chapter 6: Summary 27
Chapter 6: Summary
Identity Provider-initiated scenario alone works for Citrix
Citrix services federation via Browser-SSO has been tested
No backchannel or artifact based profiles are implemented at Citrix
The SSO, assertion consumer and target URLs are all https.
Signing of assertion is enabled
Encryption of assertion is not enabled
The following service of Citrix Application has been tested for federation using CA
SiteMinder 12.5 as Identity Provider.
o Citrix GoToMeeting - https://admin.gotomeeting.com/ext-admin/users.html