How to Integrate Azure AD with SAML 2.0 Tech Preview

REQUIREMENTS TO BUILD THIS SOLUTION:

  • Azure AD Connect – to synchronize identities into Azure AD.
  • Azure Subscription with an Azure Tenant to use Azure AD.
  • Azure AD Enterprise Application
  • Cloud CVAD environment
  • Citrix Federated Authentication Service – FAS is required to support SAML authentication. If you are planning to leverage SSO
  • Active Directory Certificate Services – FAS requires ADCS role present on Environment to issue certificates to users.

STEP 1 – INSTALLING AND CONFIGURING AZURE AD CONNECT

  • Choose a machine where you will install Azure AD Connect. Make sure that the machine is no a Domain Controller.
  • Once the installation Wizard comes up, Check the License Terms and Privacy Notice agreement and click on Continue.
  • Click on Customize

image.png

  • Then click on Install
  • On the User sign-in screen, we are going to choose Password Hash Synchronization for the purpose of this example

image.png

  • Click Next
  • Enter your Azure AD global administrator credentials
  • Then click next

image.png

  • Click on Add Directory
  • Select “Create new AD account”
  • Enter the Enterprise Admin credentials and click Ok

image.png

  • Once the directory is added click next

image.png

  • From the dropdown, select userPrincipalName and click Next

image.png

  • Select the OUs and Domains, for this example we will use all
  • Click next

image.png

  • Leave the defaults and click next

image.png

  • in this example we will synchronize all users, therefore click next

image.png

  • Under Optional features, we will check the Directory Extension attribute Sync. It is important to get this step done during initial installation. Otherwise you will have to uninstall and re-install to get these settings in place
  • Click next

image.png

  • For SAML Tech Preview, the following attributes are required:
    • cip_upn = UserPrincipalName
    • cip_sid = User SID
    • cip_email = User Email
    • cip_oid = User Object GUID
    • displayName = User DisplayName (optional)
    • givenName = User Given Name (optional)
  • The selected attributes should look like the following screenshot:

image.png

  • Click next
  • Click install

image.png

STEP 2 – ADDING AN ENTERPRISE APPLICATION TO AZURE AD

To integrate Citrix ADC with Azure AD we need to create a custom application in Azure AD. To perform this task perform the following steps:

  • Sign in to your Azure portal https://portal.azure.com
  • search or select for Enterprise Applications
  • Click on New application

image.png

  • Select “Create Your Own Application” option

image.png

  • Select the option “Integrate any other application you do not find in the gallery (Non-Gallery)” and input the Name you would like your App to be called (i.e: Cloud SAML Preview)

image.png

  • Once the information above is entered, then the Application creation begins. You can see the progress in the notification (bell icon) on Azure Portal
  • To view this application go to “Enterprise Applications” or search for “Enterprise Applications” in the search bar

image.png

  • once selected, you will be taken to “Enterprise Applications” All Applications and a list of them will be shown including the new Non-Gallery App just created. For the purposes of this document the App is named “Cloud SAML Preview”
  • Click on the App icon so you can access its properties
  • When selecting the App, you will be taken to the Overview Page

image.png

  • On left pane the App menu can be seen, under “MANAGE” select “Single Sign-On” and the right pane will be updated.
  • Tiles on the right side will be displayed, select “SAML”

image.png

  • You will be presented with App’s SAML-Base-Logon Properties

image.png

image.png

  • Under “User Attributes & Claims” Box, which is mark with #2 click on “Edit” to begin editing this section
  • Click on Add new Claim
  • Add all the following required attributes:
  • cip_upn

image.png

  • cip_oid

image.png

  • cip_sid

image.png

  • cip_email

image.png

STEP 3 – CONFIGURING SAML TECH PREVIEW 2.0 IN CLOUD

  • Login to the Cloud account portal and go to Identity and Access Management
  • Scroll down to SAML 2.0 Tech preview and on the 3 dots to the right click on connect
  • On the entity ID you will copy the Azure AD Identifier on step #4 on your Azure Enterprise Application:

image.png

image.png

  • Select Yes on Sign Authentication Request

image.png

  • SSO Service URL should be the Login URL listed on step #4 on your Azure Enterprise Application:

image.png

image.png

  • Binding Mechanism should be HTTP Post
  • SAML Response should be Sign Either Response or Assertion
  • X.509 Certificate can be downloaded from your Azure Enterprise Application on step #3

image.png

  • Download the cert and upload it to the cloud config

image.png

  • Authentication context set it to Unspecified Minimum

image.png

  • Logout URL should be the Login URL listed on step #4 on your Azure Enterprise Application

image.png

  • Click connect
  • then go to Workspace configuration > Authentication > and select SAML 2.0 Tech Preview:

image.png

  • Assuming that a working FAS configuration is set you should be able to successfully authenticate and launch applications.

Related:

  • No Related Posts

Leave a Reply