CA SiteMinder - Citrix Online [SaaS Partner]

SAML 2.0 Federation Run Book

Legal Notice
This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as the Documentation) is for your informational purposes only and is subject to change or withdrawal by CA at any time. This Documentation may not be copied, transferred, reproduced, disclosed, modified or duplicated, in whole or in part, without the prior written consent of CA. This Documentation is confidential and proprietary information of CA and may not be disclosed by you or used for any purpose other than as may be permitted in (i) a separate agreement between you and CA governing your use of the CA software to which the Documentation relates; or (ii) a separate confidentiality agreement between you and CA. Notwithstanding the foregoing, if you are a licensed user of the software product(s) addressed in the Documentation, you may print or otherwise make available a reasonable number of copies of the Documentation for internal use by you and your employees in connection with that software, provided that all CA copyright notices and legends are affixed to each reproduced copy. The right to print or otherwise make available copies of the Documentation is limited to the period during which the applicable license for such software remains in full force and effect. Should the license terminate for any reason, it is your responsibility to certify in writing to CA that all copies and partial copies of the Documentation have been returned to CA or destroyed. TO THE EXTENT PERMITTED BY APPLICABLE LAW, CA PROVIDES THIS DOCUMENTATION AS IS WITHOUT WARRANTY OF ANY KIND, INCLUDING WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR

NONINFRINGEMENT. IN NO EVENT WILL CA BE LIABLE TO YOU OR ANY THIRD PARTY FOR ANY LOSS OR DAMAGE, DIRECT OR INDIRECT, FROM THE USE OF THIS DOCUMENTATION, INCLUDING WITHOUT LIMITATION, LOST PROFITS, LOST INVESTMENT, BUSINESS

INTERRUPTION, GOODWILL, OR LOST DATA, EVEN IF CA IS EXPRESSLY ADVISED IN ADVANCE OF THE POSSIBILITY OF SUCH LOSS OR DAMAGE. The use of any software product referenced in the Documentation is governed by the applicable license agreement and such license agreement is not modified in any way by the terms of this notice. The manufacturer of this Documentation is CA. Provided with Restricted Rights. Use, duplication or disclo sure by the United States Government is subject to the restrictions set forth in FAR Sections 12.212, 52.227-14, and 52.227-19(c) (1) - (2) and DFARS Section 252.227-7014(b) (3), as applicable, or their successors. Copyright 2012 CA. All rights reserved. All trademarks, trade names, service marks, and logos referenced herein belong to their respective companies.

Legal Notice

Support
This document is produced by FuGen Solutions Inc.(www.fugensolutions.com) who can be reached at techsupport@fugensolutions.com, on behalf of CA Technologies Inc.(www.ca.com)

Contact CA Technologies
Contact CA Support
For your convenience, CA Technologies provides one site where you can access the information that you need for your Home Office, Small Business, and Enterprise CA Technologies products. At http://ca.com/support, you can access the following resources: Online and telephone contact information for technical assistance and customer services Information about user communities and forums Product and documentation downloads CA Support policies and guidelines Other helpful resources appropriate for your product

Providing Feedback About Product Documentation

If you have comments or questions about CA Technologies product documentation, you can send a message to techpubs@ca.com or techsupport@fugensolutions.com

Support

Contents
Legal Notice .................................................................................................................................................. 2 Support.......................................................................................................................................................... 3 Contents ........................................................................................................................................................ 4 Chapter 1: SaaS Partner Introduction ........................................................................................................ 6 Overview ..................................................................................................................................................... 6 Partnership Process ................................................................................................................................... 6 Prerequisites ........................................................................................................................................... 6 Target Citrix Application .......................................................................................................................... 7 Chapter 2: Configuring CA SiteMinder (12.5) as Identity Provider ......................................................... 8 Configure Identity Provider and Service Provider Entities ......................................................................... 8 Local Entity Creation ............................................................................................................................... 8 Remote Entity Creation ........................................................................................................................... 9 Configure Federation Partnership between CA SiteMinder (IDP) & Citrix (SP) .................................... 10 Configure Partnership ........................................................................................................................... 10 Federation Users .................................................................................................................................. 11 Assertion Configuration......................................................................................................................... 11 SSO and SLO ....................................................................................................................................... 12 Configure Signature and Encryption ..................................................................................................... 13 Partnership Activation ........................................................................................................................... 14 Chapter 3: Configuring Service Provider ................................................................................................ 15 Enabling federation at Citrix end .............................................................................................................. 15 Configure SAML 2.0 SSO in Citrix ........................................................................................................ 15 Chapter 4: Federation Testing .................................................................................................................. 17 Federation Testing .................................................................................................................................... 17 Identity Provider Initiated ...................................................................................................................... 17 Chapter 5: Exception Handling ................................................................................................................. 19 Exception Cases ....................................................................................................................................... 19 When SiteMinder Partnership is Inactive .............................................................................................. 19 When the Assertion Consumer Service URL is given wrong in SiteMinder side.................................. 19 When SiteMinder Authenticated User who is not in Citrix trying to login through SiteMinder .............. 20 SiteMinder User who doesnt have desired attributes in the user store ............................................... 21 User Email ID is not matching with the data at the Citrix ...................................................................... 21 Change of Service Provider Entity ID in the SiteMinder ....................................................................... 22

Contents

Change of Identity Provider Entity ID in SiteMinder ............................................................................. 23 Change of Audience Field value to some other value .......................................................................... 23 Change of Name ID Format values ...................................................................................................... 24 Change of Name ID Format .................................................................................................................. 24 Expired Certificate on SiteMinder Side ................................................................................................. 25 Chapter 6: Summary .................................................................................................................................. 27

Contents

Chapter 1: SaaS Partner Introduction

This section contains the following topics: Overview (see page 6) Partnership Process (see page 6) Prerequisites Target Citrix Application

Overview
The scope of the document is to provide the necessary steps to configure the federation partnership to achieve SSO (Single-Sign-On) between CA SiteMinder 12.5, acting as the Identity Provider (IDP), and Citrix Online acting as the Service Provider (SP).

Partnership Process
The partnership creation for each partner involves the following steps: 1. Installing and configuring the prerequisites 2. Configuring SiteMinder as an Identity Provider 3. Configuring the Service Provider 4. Testing the Federated SSO

Prerequisites
Installation of CA SiteMinder 12.5 Suite Configuration and testing of Authentication store and Session store Creation of Signed Certificate by a well know CA such as VeriSign, Entrust, Thawte or Go Daddy for Identity Provider Digital Signature Important! - Protect Identity Provider Authentication URL using CA SiteMinder 12.5

Chapter 1: SaaS Partner Introduction

Identity Provider Authentication URL is protected by creating following objects: Authentication Scheme Domain Realm Rule & Policies

Notes: Protecting the Authentication URL ensures that a user requesting a protected federated resource is presented with an authentication challenge if they do not have a SiteMinder session at the Identity Provider. Tenant environment at Citrix with Partner Login URL https://www.citrix.com/welcome.html?resource=%2Faccount

Target Citrix Application

The following service of Citrix Application has been tested under desktop browser for federation using CA SiteMinder 12.5 as Identity Provider. Citrix GoToMeeting Citrix GoToWebinar Citrix GoToTraining Citrix GoToMyPC Citrix ShareFile Citrix GoTo Assist

Chapter 1: SaaS Partner Introduction

Chapter 2: Configuring CA SiteMinder (12.5) as Identity Provider

This section contains the following topics:

Configure Identity Provider and Service Provider Entities (see page 8) Configure Federation Partnership between CA SiteMinder (IDP) & Citrix (SP) (see page 12)

Configure Identity Provider and Service Provider Entities

Login to CA SiteMinder and get to Federation -> Partnership Federation -> Entity -> Create Entity

Local Entity Creation

Configure Local Identity Provider Entity with following details: o o o o o o o o o Entity Location Local Entity Type SAML2 IDP Entity ID Any (in this example https://ca-idp.fugen.com/) Entity Name Any (Relevant name) Description Any (Relevant description) Base URL Will be pre-populated Signing Private Key Alias Select the correct private key alias Signed Authentication Requests Required No Supported NameID format Email Address

Chapter 2: Configuring CA SiteMinder (12.5) as Identity Provider

Remote Entity Creation

Configure Remote Service Provider Entity by selecting Create Entity

Note: For Citrix Service Provider details (Entity ID and ACS URL) contact Citrix Support Team. Create Citrix Remote Entity with following details o o o o o o Entity Location Remote New Entity Type SAML2 SP Entity ID https://login.citrixonline.com/saml/sp Entity Name Any (Relevant name) Description Any (Relevant description) Assertion Consumer Service URL https://login.citrixonline.com/saml/global.gotomeeting.com/acs o o Authentication Request No Supported NameID Format Email address

Chapter 2: Configuring CA SiteMinder (12.5) as Identity Provider

Configure Federation Partnership between CA SiteMinder (IDP) & Citrix (SP)

To create Partnership Get to Federation -> Partnership Federation -> Create Partnership (SAML 2 IDP > SP)

Configure Partnership
Add Partnership Name Any (Relevant Name) Description Any (Relevant description) Local IDP ID Select Local IDP ID (e.g. https://ca-idp.fugen.com/) Remote SP ID Select Remote SP ID Base URL Will be pre-populated Skew Time Any User Directories and Search Order Select required Directories in required search order. Proceed to Next Page

Chapter 2: Configuring CA SiteMinder (12.5) as Identity Provider

10

Federation Users
Configure Federation Users Accept default values

Assertion Configuration
Name ID Format Email Address. Name ID Type User Attribute Value Should be the name of the user attribute containing the email address. In this example, the name is 'mail'

Chapter 2: Configuring CA SiteMinder (12.5) as Identity Provider

11

SSO and SLO

Add Authentication URL SSO Binding via HTTP-Post Audience https://login.citrixonline.com/saml/sp Transaction Allowed Both Assertion Consumer Service URL https://login.citrixonline.com/saml/global.gotomeeting.com/acs

Chapter 2: Configuring CA SiteMinder (12.5) as Identity Provider

12

Configure Signature and Encryption

Signing Private Key Alias Check if correct Private Key Alias selected

Chapter 2: Configuring CA SiteMinder (12.5) as Identity Provider

13

Confirm the values and finish Partnership

Partnership Activation
Activate the created Partnership

Chapter 2: Configuring CA SiteMinder (12.5) as Identity Provider

14

Chapter 3: Configuring Service Provider

This section contains the following topics:

Configure SAML 2.0 SSO in Citrix (see page 15)

Enabling federation at Citrix end

Configure SAML 2.0 SSO in Citrix
Follow the steps given below to configure the SAML2.0 SSO in Citrix Login to Citrix (http://login.citrixonline.com/saml/settings.html) with appropriate credentials (for Credentials contact Citrix Support team)

Under SAML 2.0 single sign-on page o o o Enter the Identity Provider SSO URL Upload the Verification certificate Save the changes

Chapter 3: Configuring Service Provider

15

Chapter 3: Configuring Service Provider

16

Chapter 4: Federation Testing

This section contains the following topics:

Federation Testing (see page 17) Identity Provider initiated

Federation Testing
In the case of Citrix, federation scenario can be run in Identity Provider initiated Scenario alone

Identity Provider Initiated

Access URL https://caidp.fugen.com/affwebservices/public/saml2sso?SPID=https://login.citrixonline.com/sa ml/sp User is challenged with authentication screen by Identity Provider

After successful authentication, the Identity Provider user will be directed to the Citrix home page.

Chapter 4: Federation Testing

17

Chapter 4: Federation Testing

18

Chapter 5: Exception Handling

This section contains the following exceptions:

When SiteMinder Partnership is Inactive (see page 19) When the Assertion Consumer Service URL is given wrong in the SiteMinder side (see page 20) When SiteMinder Authenticated User who is not in the Citrix trying to login through SiteMinder (see page 20) SiteMinder user who doesnt have desired attributes in the user store (see page 21) User Email ID is not matching with the data at the Citrix (see page 22) Change of Service Provider Entity ID in the SiteMinder (see page 22) Change of Identity Provider Entity ID in the SiteMinder (see page 23) Change of Audience Field value to some other value (see page 23) Change of Name ID Format values (see page 24) Change of Name ID Format (see page 25) Expired Certificate on SiteMinder Side (see page 26)

Exception Cases
Following are the exceptions cases.

When SiteMinder Partnership is Inactive

When SiteMinder Partnership is Inactive or Defined, following error appears on browser

When the Assertion Consumer Service URL is given wrong in SiteMinder side
Default Assertion Consumer Service URL in the Citrix https://login.citrixonline.com/saml/global.gotomeeting.com/acs

Chapter 5: Exception Handling

19

Test Assertion Consumer Service URL given in SiteMinder https:// citrixonline.com/saml/acs Result Authenticates at the Identity Provider side and gives following error

When SiteMinder Authenticated User who is not in Citrix trying to login through SiteMinder
This is a user that is authenticated to SiteMinder but not provisioned to Citrix. UserID used pptester Result After Authentication following error page appears at Citrix side.

Chapter 5: Exception Handling

20

Logs Following log information can be found in FWSTrace.log [03/18/2013][03:08:30][][][][][][][][][IsOk? Yes, Return 0 responses with 1 attributes added.][][][][][][][][][][][] [03/18/2013][03:08:30][s1/r72][][][][pptester][][][][Evaluating OnAccessAccept policy in the realm ][][samlsp:fugencloud-citrixsp_az][][][][][][][][][uid=PPtester,ou=People,ou=caidp users,o=caidp.com] [03/18/2013][03:08:30][][][][][pptester][][][][Start of user policy analysis for realm.][][samlsp:fugencloud-citrixsp_az][][][][][][][][][uid=PPtester,ou=People,ou=caidp users,o=caidp.com]

SiteMinder User who doesnt have desired attributes in the user store
UserID tuser Email id attribute which is the NameID Format used in the Partnership is removed and tested for Federated Login Result After Authentication, following error page appears.

User Email ID is not matching with the data at the Citrix

UserID tuser Default email techsupport@fugensolutions.com Changed email test@fugensolutions.com Result Following error message appears on browser

Chapter 5: Exception Handling

21

Change of Service Provider Entity ID in the SiteMinder

Original Service Provider Entity ID: https://login.citrixonline.com/saml/sp Changed Service Provider Entity ID: https://login.citrixonlinechange.com/saml/sp Result Following error message appears on internet explorer browser

Logs Following log information can be found in FWSTrace.log file. [03/18/2013][13:27:21][1160][2080][9c2d81d4-3787e659-a8dbdda1-b301542e-2ddb2e62d23][SSO.java][processRequest][Transaction with ID: 9c2d81d4-3787e659-a8dbdda1b301542e-2ddb2e62-d23 failed. Reason: NO_PROVIDER_INFO_FOUND] [03/18/2013][13:27:21][1160][2080][9c2d81d4-3787e659-a8dbdda1-b301542e-2ddb2e62d23][SSO.java][processRequest][No SAML2 provider information found for SP https://login.citrixonline.com/saml/sp.] [03/18/2013][13:27:21][1160][2080][9c2d81d4-3787e659-a8dbdda1-b301542e-2ddb2e62d23][SSO.java][processRequest][Ending SAML2 Single Sign-On Service request processing with HTTP error 400]

Chapter 5: Exception Handling

22

Change of Identity Provider Entity ID in SiteMinder

Original Identity Provider Entity ID: https://ca-idp.fugen.com/ Changed Identity Provider Entity ID: https://ca-idp.fugenportal.com/ Result Federated login works as expected without any impact due to new Identity Provider Entity ID.

Change of Audience Field value to some other value

Original Audience https://login.citrixonline.com/saml/sp Changed Audience https://login.citrixonlineportal.com/saml/sp Result Following error message appears on browser

Logs Following log information can be found in FWSTrace.log file. <ns2:Subject> <ns2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameidformat:emailAddress">techsupport@fugensolutions.com</ns2:NameID> <ns2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <ns2:SubjectConfirmationData NotOnOrAfter="2013-03-18T13:36:52Z" Recipient=" https://login.citrixonline.com/saml/global.gotomeeting.com/acs"/> </ns2:SubjectConfirmation> </ns2:Subject> <ns2:Conditions NotBefore="2013-03-18T13:34:52Z" NotOnOrAfter="2013-0318T13:36:52Z"> <ns2:AudienceRestriction> <ns2:Audience>https://login.citrixonline.com/saml/sp</ns2:Audience> </ns2:AudienceRestriction> <ns2:AudienceRestriction> <ns2:Audience>https://login.citrixonlineportal.com/saml/sp</ns2:Audience>

Chapter 5: Exception Handling

23

</ns2:AudienceRestriction> </ns2:Conditions>

Change of Name ID Format values

Original NameID mail Changed NameID uid UID tuser Result Following error appears on browser.

Logs Following log information can be found in FWSTrace.log file <ns2:Subject> <ns2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameidformat:emailAddress">tuser</ns2:NameID> <ns2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <ns2:SubjectConfirmationData NotOnOrAfter="2013-03-18T13:46:10Z" Recipient=" https://login.citrixonline.com/saml/global.gotomeeting.com/acs"/> </ns2:SubjectConfirmation> </ns2:Subject>

Change of Name ID Format

Name ID Format Chosen: Transient Identifier Result Following error appears on browser.

Chapter 5: Exception Handling

24

Logs Following log information can be found in FWSTrace.log file <ns2:Subject> <ns2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameidformat:transient">_03d5fe0084fc99f80cb26de0fe8539f806a3</ns2:NameID> <ns2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <ns2:SubjectConfirmationData NotOnOrAfter="2013-03-18T13:52:08Z" Recipient=" https://login.citrixonline.com/saml/global.gotomeeting.com/acs"/> </ns2:SubjectConfirmation> </ns2:Subject>

Expired Certificate on SiteMinder Side

Condition When SiteMinder signing certificate is expired. Log File Information appears to be like this <Response ID="_5e705c022c4ce8c6c8a5c39a057e3eb211d0" InResponseTo="fjedijkpiblphaigikhdieoilebpfaoibohmampl" IssueInstant="201212-27T13:29:00Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:protocol"> <ns1:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion">https://caidp.fugen.com/</ns1:Issuer> <Status> <StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder"/> <StatusMessage>Error Signing Assertion.</StatusMessage> </Status> </Response>

Chapter 5: Exception Handling

25

Message that appears on browser

Chapter 5: Exception Handling

26

Chapter 6: Summary
Identity Provider-initiated scenario alone works for Citrix Citrix services federation via Browser-SSO has been tested No backchannel or artifact based profiles are implemented at Citrix The SSO, assertion consumer and target URLs are all https. Signing of assertion is enabled Encryption of assertion is not enabled The following service of Citrix Application has been tested for federation using CA SiteMinder 12.5 as Identity Provider. o Citrix GoToMeeting - https://admin.gotomeeting.com/ext-admin/users.html

Chapter 6: Summary

27