Office365 SAML SSO w/ AppController 2.6

Somewhat recently Citrix released a patch for AppController 2.6 which reintroduced the Office365 SAML SSO connector. We were pretty excited because we use CloudGateway and Office365 in house and the SSO functionality is really handy. Unfortunately setup is not super intuitive so I am going to publish a quick guide on how to get it done.

First thing you need to do is enable AD directory sync between CloudGateway's AD domain and Office365 if you haven't already. I am not going to get too in depth with this process because there are a ton of guides out there. One thing to keep in mind is that the users you sync from AD can only be edited in AD, not in the Office365 web interface. Also, if your user matches on email address with an existing user, the sync will over write the attributes of the existing user with the synced user. Long story short, tread lightly and be sure you are confident when you run the sync.

Here's what you need to do to get the connector working:

  • Add an alternate UPN Suffix

  • Install the Windows Azure AD Sync Tool

  • Export your SAML certificate from AppController to the server that is going to run AD sync.

  • Enable AD Sync from the Users & Groups section of Office365 (takes a day to process).

  • Install theĀ Windows Azure AD Module for Powershell

  • Configure Office365 SSO for your domain per Citrix's instructions

  • Use the SAML certificate exported from AppController.

  • If using AGEE, you need to use the below URLs instead of the URLs listed in Citrix's instructions:

  • PassiveLogOnUri - https:///cvpn/https//samlsp/

  • LogOffUri - https:///cvpn/https//samlsp/

Once these steps are complete, you should be able to use the SSO connector to log on to Office365, you will be redirected to when you click it, and you will need to type in your email address, but once you do that SSO will happen without the need for a password. Happy SAMLing!