Wednesday, May 15, 2013

Office365 SAML SSO w/ AppController 2.6

Somewhat recently Citrix released a patch for AppController 2.6 which reintroduced the Office365 SAML SSO connector. We were pretty excited because we use CloudGateway and Office365 in house and the SSO functionality is really handy. Unfortunately setup is not super intuitive so I am going to publish a quick guide on how to get it done.

First thing you need to do is enable AD directory sync between CloudGateway's AD domain and Office365 if you haven't already. I am not going to get too in depth with this process because there are a ton of guides out there. One thing to keep in mind is that the users you sync from AD can only be edited in AD, not in the Office365 web interface. Also, if your user matches on email address with an existing user, the sync will over write the attributes of the existing user with the synced user. Long story short, tread lightly and be sure you are confident when you run the sync.

Here's what you need to do to get the connector working:

  • Add an alternate UPN Suffix to your domain to match the Office365 domain (scroll down a bit in the linked article) and assign it to your desired SSO users in AD users and computers. Also, ensure that their email address matches their Office365 email address.
  • Install the Windows Azure AD Sync Tool on your directory sync server.
  • Export your SAML certificate from AppController to the server that is going to run AD sync.
  • Enable AD Sync from the Users & Groups section of Office365 (takes a day to process).
  • Install the Windows Azure AD Module for Powershell on your selected sync server, and run the initial sync.
  • Configure Office365 SSO for your domain per Citrix's instructions using the Windows Azure AD Module for Powershell.
    • Use the SAML certificate exported from AppController.
    • If using AGEE, you need to use the below URLs instead of the URLs listed in Citrix's instructions:
      • PassiveLogOnUri - https://<Agee FQDN>/cvpn/https/<AppC FQDN>/samlsp/websso.do?action=authenticateUser&app=Office365_SAML
      • LogOffUri - https://<Agee FQDN>/cvpn/https/<AppC FQDN>/samlsp/websso.do?action=logout&app=Office365_SAML
Once these steps are complete, you should be able to use the SSO connector to log on to Office365, you will be redirected to https://login.microsoftonline.com when you click it, and you will need to type in your email address, but once you do that SSO will happen without the need for a password. Happy SAMLing!