Versions Compared

Old Version 13

changes.mady.by.user Paul Ruvin

Saved on

compared with

New Version Current

changes.mady.by.user Daniel.Juleff

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Updated Images and Syntax

...

  1. Login to the DualShield Administration Console
  2. In the main menu, select navigate to "Authentication > | Logon Procedures"

             Image Modified

3. Click the Create button on the toolbar"+ CREATE" button in the toolbar
4. Enter Name and select Web SSO as the typean appropriate friendly "Name", then select 'Type' as "Web SSO":

              Image Modified

5. Click Save"SAVE" to create.
6. Click the Context Menu context "..." menu icon of the newly create logon procedure, select then "Logon Steps

...

".
7. In the popup windows, click on Add

Image Removed

Select the "+ ADD" button on the top-right corner, to Add an authentication method.
8. Select the desired authentication method, e.g. such as "Static Password" (AD credentials):

               Image Modified

9. Click Save"SAVE" to create.
10. Repeat steps 7-9 to add more logon steps if desiredauthentication Logon Steps as necessary, e.g . "One-Time Password.":

               Image Modified

Create an Application

  1. In the main menu, select Authentication > Applicationnavigate to "Authentication | Applications"

               Image Modified


2. Click on Create

Image Removed

the button "+ CREATE"
3. Enter an a relevant friendly "Application Name"
4. Select a Realm that is bound to your domainfrom the drop-down your internal AD "Realm"
5. Select the newly created Logon ProcedureLogin Procedure created in a previous step:

              Image Modified


6. Click Savethe "SAVE" button to create.
7. Click the context "..." menu of the newly created applicationApplication, select Agent

...

then select "Agents"
8. Select from the list, the "Single Sign-on Server / SSO"

               

9. Click Save"SAVE" to confirm.
10. Click Finally click the context "..." menu of the newly created applicationApplication, then select "Self Test

Image Removed

11. If configured correctly all the tests should pass, as below.

" to confirm all associations are in place:

                Image Modified


Create a SAML 2.0 Service Provider Configuration for Citrix Workspace.


1. In the main menu, select navigate to "Identity > | Identity Attributes"

                 


2. Select the "Identity Source that the domain you wish to use for authentication is bound to

Image Removed

3. Click on Create on the top right.

Image Removed

" associated with your internal Domain, for authentication:

                 Image Added


3. Then select "CREATE" to confirm.
4. Create a new identity attribute called objectSid named "objectSID", plus matching the settings as per screen shot below. Make sure the data type in the screenshot below.
    Note 'Data Type' is set to Binary"BINARY":

                 Image Modified


5. Click Save"SAVE" to confirm. You will now should now see the objectSid "objectSID" attribute listed under 'Identity Attributes':

Image Modified


6. Log into in to Citrix Cloud

7. Click on the menu icon on at the top left .of the console:

             

8. Select Identity and Access Management from At the drop-down menu, that appears:select "Identity and Access Management": 

             


9. Click on the the Ellipsis (…) next to SAML and , then click "Connect from " from the drop-down option.


             Image Modified


10. On the Configure Saml page "Configure SAML" page, click next to "SAML Metadata" option.

             


11. On the Back within DualShield Administration Console, select navigate to "SSO > | Service Providers"...

             


12. Click Create

...

Select "CREATE" to confirm.
13. In the "SSO Server" field, select your DualShield the default SSO server Server from the list, "Single Sign-on Server"
14. In the "Name field" field, enter the name an appropriate "Name" for the Service Provider to be created
15. In at the "Type field" drop-down, select "SAML 2.0":

               Image Modified


16. Click on Image Removedthe "CREATE METADATA" button. A 'Metadata' window will open.
17. Open the SAML metadata XML Metadata file you downloaded from the Citrix Cloud, in a text editor..


                   

18. Select all and copy and past into the Service Provider Metadata box on DualShield.All - then Copy. Paste this content then in to the DualShield 'Metadata' window:

                   


19. Click Save"SAVE" to confirm.
20. Enable Within 'SAML Options' enable tickbox options "Sign on SAML Assertion" and "Add 'InResponseTo' Attribute under SAML Options":

                   

21. Click on Select the "Attributes" tab at the top:

Image Modified

We

...

must now

...

add the following

...

Attribute names which are required by the Service Provider.

cip_email
cip_upn
cip_oid
cip_sid

With the exception

...

of cip_sid the above attributes will be mapped to their counterpart 'DualShield Identity Attributes', which in turn are mapped to the Active Directory account attributes.
For example:

Citrix SAML Attribute

DualShield Identity Attribute

AD Account Attribute

cip_email

email

mail

cip_upn

userPrincipalName

userPricipalName

cip_oid

uuid

ObjectGUID


       
        In steps Steps 1-5 you created a new Identity Attribute called objectSID. This will be specified in a script which will be applied to the cip_sid Citrix Attribute

        22. Click

...

Image Removed

"+ CREATE" button
        23. On the Attributes builder specify Location as HTTP Body and enter cip_upn as the name for this attribute.

                  Image Modified


24. Click on the search symbol to the right of the "Maps To" field.

...


25. Select the identity source that will be used and select User Principal Name from the Maps to drop down list:

                 


26. Click Save"SAVE" button to update.
27. Click Save again"SAVE" again
28. Repeat steps Steps 21 - 23 but this time name the , for the next attribute cip_oid

             


29. Repeat steps Steps 24 & 25 but this time map to Unique Identifier

              Image Modified


30. Click Save"SAVE" to confirm
31. Click Save again"SAVE" at the next window
32. Repeat the process above, one more time. Name the attribute cip_email and map to email.

              Image Modified

33. For cip_sid, create a new attribute and name it cip_sid

             

34. Under the Value group box, select Script'Value' section. select option "Script"

               


35. Copy and paste the following script into the text box.:


Code Block
if (!objectSid) return null;

byte[] sid = objectSid.decodeHex();

if (sid.length<8 || sid.length % 4 != 0) return "";

StringBuilder sb = new StringBuilder();
sb.append("S-").append(sid[0]);
int c = sid[1]; // Init with Subauthority Count.

// Default order is BIG_ENDIAN
java.nio.ByteBuffer bb = java.nio.ByteBuffer.wrap(sid);
sb.append("-").append((long)bb.getLong() & 0XFFFFFFFFFFFFL);
bb.order(java.nio.ByteOrder.LITTLE_ENDIAN); // Now switch.

for (int i=0; i<c; i++) { // Create Subauthorities.
    sb.append("-").append((long)bb.getInt() & 0xFFFFFFFFL);
}        
return sb.toString();


36. Click Save"SAVE". The "Service Provider Attributes" window should now look like this..:

           


37. Click on "General Settings" at the top

       Image Modified


38. Set the default attribute to cip_upn (You can click anywhere in this field to change it.)

               


39. Click Save Finally click "SAVE" at the bottom to confirm settings.