Professional Documents
Culture Documents
Legal Notice
This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as the Documentation) is for your informational purposes only and is subject to change or withdrawal by CA at any time. This Documentation may not be copied, transferred, reproduced, disclosed, modified or duplicated, in whole or in part, without the prior written consent of CA. This Documentation is confidential and proprietary information of CA and may not be disclosed by you or used for any purpose other than as may be permitted in (i) a separate agreement between you and CA governing your use of the CA software to which the Documentation relates; or (ii) a separate confidentiality agreement between you and CA. Notwithstanding the foregoing, if you are a licensed user of the software product(s) addressed in the Documentation, you may print or otherwise make available a reasonable number of copies of the Documentation for internal use by you and your employees in connection with that software, provided that all CA copyright notices and legends are affixed to each reproduced copy. The right to print or otherwise make available copies of the Documentation is limited to the period during which the applicable license for such software remains in full force and effect. Should the license terminate for any reason, it is your responsibility to certify in writing to CA that all copies and partial copies of the Documentation have been returned to CA or destroyed. TO THE EXTENT PERMITTED BY APPLICABLE LAW, CA PROVIDES THIS DOCUMENTATION AS IS WITHOUT WARRANTY OF ANY KIND, INCLUDING WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
NONINFRINGEMENT. IN NO EVENT WILL CA BE LIABLE TO YOU OR ANY THIRD PARTY FOR ANY LOSS OR DAMAGE, DIRECT OR INDIRECT, FROM THE USE OF THIS DOCUMENTATION, INCLUDING WITHOUT LIMITATION, LOST PROFITS, LOST INVESTMENT, BUSINESS
INTERRUPTION, GOODWILL, OR LOST DATA, EVEN IF CA IS EXPRESSLY ADVISED IN ADVANCE OF THE POSSIBILITY OF SUCH LOSS OR DAMAGE. The use of any software product referenced in the Documentation is governed by the applicable license agreement and such license agreement is not modified in any way by the terms of this notice. The manufacturer of this Documentation is CA. Provided with Restricted Rights. Use, duplication or disclo sure by the United States Government is subject to the restrictions set forth in FAR Sections 12.212, 52.227-14, and 52.227-19(c) (1) - (2) and DFARS Section 252.227-7014(b) (3), as applicable, or their successors. Copyright 2012 CA. All rights reserved. All trademarks, trade names, service marks, and logos referenced herein belong to their respective companies.
Legal Notice
Support
This document is produced by FuGen Solutions Inc.(www.fugensolutions.com) who can be reached at techsupport@fugensolutions.com, on behalf of CA Technologies Inc.(www.ca.com)
Contact CA Technologies
Contact CA Support
For your convenience, CA Technologies provides one site where you can access the information that you need for your Home Office, Small Business, and Enterprise CA Technologies products. At http://ca.com/support, you can access the following resources: Online and telephone contact information for technical assistance and customer services Information about user communities and forums Product and documentation downloads CA Support policies and guidelines Other helpful resources appropriate for your product
Support
Contents
Legal Notice .................................................................................................................................................. 2 Support.......................................................................................................................................................... 3 Contents ........................................................................................................................................................ 4 Chapter 1: SaaS Partner Introduction ........................................................................................................ 6 Overview ..................................................................................................................................................... 6 Partnership Process ................................................................................................................................... 6 Prerequisites ........................................................................................................................................... 6 Target Citrix Application .......................................................................................................................... 7 Chapter 2: Configuring CA SiteMinder (12.5) as Identity Provider ......................................................... 8 Configure Identity Provider and Service Provider Entities ......................................................................... 8 Local Entity Creation ............................................................................................................................... 8 Remote Entity Creation ........................................................................................................................... 9 Configure Federation Partnership between CA SiteMinder (IDP) & Citrix (SP) .................................... 10 Configure Partnership ........................................................................................................................... 10 Federation Users .................................................................................................................................. 11 Assertion Configuration......................................................................................................................... 11 SSO and SLO ....................................................................................................................................... 12 Configure Signature and Encryption ..................................................................................................... 13 Partnership Activation ........................................................................................................................... 14 Chapter 3: Configuring Service Provider ................................................................................................ 15 Enabling federation at Citrix end .............................................................................................................. 15 Configure SAML 2.0 SSO in Citrix ........................................................................................................ 15 Chapter 4: Federation Testing .................................................................................................................. 17 Federation Testing .................................................................................................................................... 17 Identity Provider Initiated ...................................................................................................................... 17 Chapter 5: Exception Handling ................................................................................................................. 19 Exception Cases ....................................................................................................................................... 19 When SiteMinder Partnership is Inactive .............................................................................................. 19 When the Assertion Consumer Service URL is given wrong in SiteMinder side.................................. 19 When SiteMinder Authenticated User who is not in Citrix trying to login through SiteMinder .............. 20 SiteMinder User who doesnt have desired attributes in the user store ............................................... 21 User Email ID is not matching with the data at the Citrix ...................................................................... 21 Change of Service Provider Entity ID in the SiteMinder ....................................................................... 22
Contents
Change of Identity Provider Entity ID in SiteMinder ............................................................................. 23 Change of Audience Field value to some other value .......................................................................... 23 Change of Name ID Format values ...................................................................................................... 24 Change of Name ID Format .................................................................................................................. 24 Expired Certificate on SiteMinder Side ................................................................................................. 25 Chapter 6: Summary .................................................................................................................................. 27
Contents
Overview
The scope of the document is to provide the necessary steps to configure the federation partnership to achieve SSO (Single-Sign-On) between CA SiteMinder 12.5, acting as the Identity Provider (IDP), and Citrix Online acting as the Service Provider (SP).
Partnership Process
The partnership creation for each partner involves the following steps: 1. Installing and configuring the prerequisites 2. Configuring SiteMinder as an Identity Provider 3. Configuring the Service Provider 4. Testing the Federated SSO
Prerequisites
Installation of CA SiteMinder 12.5 Suite Configuration and testing of Authentication store and Session store Creation of Signed Certificate by a well know CA such as VeriSign, Entrust, Thawte or Go Daddy for Identity Provider Digital Signature Important! - Protect Identity Provider Authentication URL using CA SiteMinder 12.5
Identity Provider Authentication URL is protected by creating following objects: Authentication Scheme Domain Realm Rule & Policies
Notes: Protecting the Authentication URL ensures that a user requesting a protected federated resource is presented with an authentication challenge if they do not have a SiteMinder session at the Identity Provider. Tenant environment at Citrix with Partner Login URL https://www.citrix.com/welcome.html?resource=%2Faccount
Configure Identity Provider and Service Provider Entities (see page 8) Configure Federation Partnership between CA SiteMinder (IDP) & Citrix (SP) (see page 12)
Note: For Citrix Service Provider details (Entity ID and ACS URL) contact Citrix Support Team. Create Citrix Remote Entity with following details o o o o o o Entity Location Remote New Entity Type SAML2 SP Entity ID https://login.citrixonline.com/saml/sp Entity Name Any (Relevant name) Description Any (Relevant description) Assertion Consumer Service URL https://login.citrixonline.com/saml/global.gotomeeting.com/acs o o Authentication Request No Supported NameID Format Email address
Configure Partnership
Add Partnership Name Any (Relevant Name) Description Any (Relevant description) Local IDP ID Select Local IDP ID (e.g. https://ca-idp.fugen.com/) Remote SP ID Select Remote SP ID Base URL Will be pre-populated Skew Time Any User Directories and Search Order Select required Directories in required search order. Proceed to Next Page
10
Federation Users
Configure Federation Users Accept default values
Assertion Configuration
Name ID Format Email Address. Name ID Type User Attribute Value Should be the name of the user attribute containing the email address. In this example, the name is 'mail'
11
12
13
Partnership Activation
Activate the created Partnership
14
Under SAML 2.0 single sign-on page o o o Enter the Identity Provider SSO URL Upload the Verification certificate Save the changes
15
16
Federation Testing
In the case of Citrix, federation scenario can be run in Identity Provider initiated Scenario alone
After successful authentication, the Identity Provider user will be directed to the Citrix home page.
17
18
When SiteMinder Partnership is Inactive (see page 19) When the Assertion Consumer Service URL is given wrong in the SiteMinder side (see page 20) When SiteMinder Authenticated User who is not in the Citrix trying to login through SiteMinder (see page 20) SiteMinder user who doesnt have desired attributes in the user store (see page 21) User Email ID is not matching with the data at the Citrix (see page 22) Change of Service Provider Entity ID in the SiteMinder (see page 22) Change of Identity Provider Entity ID in the SiteMinder (see page 23) Change of Audience Field value to some other value (see page 23) Change of Name ID Format values (see page 24) Change of Name ID Format (see page 25) Expired Certificate on SiteMinder Side (see page 26)
Exception Cases
Following are the exceptions cases.
When the Assertion Consumer Service URL is given wrong in SiteMinder side
Default Assertion Consumer Service URL in the Citrix https://login.citrixonline.com/saml/global.gotomeeting.com/acs
19
Test Assertion Consumer Service URL given in SiteMinder https:// citrixonline.com/saml/acs Result Authenticates at the Identity Provider side and gives following error
When SiteMinder Authenticated User who is not in Citrix trying to login through SiteMinder
This is a user that is authenticated to SiteMinder but not provisioned to Citrix. UserID used pptester Result After Authentication following error page appears at Citrix side.
20
Logs Following log information can be found in FWSTrace.log [03/18/2013][03:08:30][][][][][][][][][IsOk? Yes, Return 0 responses with 1 attributes added.][][][][][][][][][][][] [03/18/2013][03:08:30][s1/r72][][][][pptester][][][][Evaluating OnAccessAccept policy in the realm ][][samlsp:fugencloud-citrixsp_az][][][][][][][][][uid=PPtester,ou=People,ou=caidp users,o=caidp.com] [03/18/2013][03:08:30][][][][][pptester][][][][Start of user policy analysis for realm.][][samlsp:fugencloud-citrixsp_az][][][][][][][][][uid=PPtester,ou=People,ou=caidp users,o=caidp.com]
SiteMinder User who doesnt have desired attributes in the user store
UserID tuser Email id attribute which is the NameID Format used in the Partnership is removed and tested for Federated Login Result After Authentication, following error page appears.
21
Logs Following log information can be found in FWSTrace.log file. [03/18/2013][13:27:21][1160][2080][9c2d81d4-3787e659-a8dbdda1-b301542e-2ddb2e62d23][SSO.java][processRequest][Transaction with ID: 9c2d81d4-3787e659-a8dbdda1b301542e-2ddb2e62-d23 failed. Reason: NO_PROVIDER_INFO_FOUND] [03/18/2013][13:27:21][1160][2080][9c2d81d4-3787e659-a8dbdda1-b301542e-2ddb2e62d23][SSO.java][processRequest][No SAML2 provider information found for SP https://login.citrixonline.com/saml/sp.] [03/18/2013][13:27:21][1160][2080][9c2d81d4-3787e659-a8dbdda1-b301542e-2ddb2e62d23][SSO.java][processRequest][Ending SAML2 Single Sign-On Service request processing with HTTP error 400]
22
Logs Following log information can be found in FWSTrace.log file. <ns2:Subject> <ns2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameidformat:emailAddress">techsupport@fugensolutions.com</ns2:NameID> <ns2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <ns2:SubjectConfirmationData NotOnOrAfter="2013-03-18T13:36:52Z" Recipient=" https://login.citrixonline.com/saml/global.gotomeeting.com/acs"/> </ns2:SubjectConfirmation> </ns2:Subject> <ns2:Conditions NotBefore="2013-03-18T13:34:52Z" NotOnOrAfter="2013-0318T13:36:52Z"> <ns2:AudienceRestriction> <ns2:Audience>https://login.citrixonline.com/saml/sp</ns2:Audience> </ns2:AudienceRestriction> <ns2:AudienceRestriction> <ns2:Audience>https://login.citrixonlineportal.com/saml/sp</ns2:Audience>
23
</ns2:AudienceRestriction> </ns2:Conditions>
Logs Following log information can be found in FWSTrace.log file <ns2:Subject> <ns2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameidformat:emailAddress">tuser</ns2:NameID> <ns2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <ns2:SubjectConfirmationData NotOnOrAfter="2013-03-18T13:46:10Z" Recipient=" https://login.citrixonline.com/saml/global.gotomeeting.com/acs"/> </ns2:SubjectConfirmation> </ns2:Subject>
24
Logs Following log information can be found in FWSTrace.log file <ns2:Subject> <ns2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameidformat:transient">_03d5fe0084fc99f80cb26de0fe8539f806a3</ns2:NameID> <ns2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <ns2:SubjectConfirmationData NotOnOrAfter="2013-03-18T13:52:08Z" Recipient=" https://login.citrixonline.com/saml/global.gotomeeting.com/acs"/> </ns2:SubjectConfirmation> </ns2:Subject>
25
26
Chapter 6: Summary
Identity Provider-initiated scenario alone works for Citrix Citrix services federation via Browser-SSO has been tested No backchannel or artifact based profiles are implemented at Citrix The SSO, assertion consumer and target URLs are all https. Signing of assertion is enabled Encryption of assertion is not enabled The following service of Citrix Application has been tested for federation using CA SiteMinder 12.5 as Identity Provider. o Citrix GoToMeeting - https://admin.gotomeeting.com/ext-admin/users.html
Chapter 6: Summary
27