Versions Compared

Old Version 7

changes.mady.by.user Paul Ruvin

Saved on

compared with

New Version Current

changes.mady.by.user Daniel.Juleff

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Updated Images and Syntax

Table of Contents


Create a Logon Procedure

  1. Login to the DualShield Administration Console
  2. In the main menu, select navigate to "Authentication > | Logon Procedures"

             Image Modified

3. Click the Create button on the toolbar"+ CREATE" button in the toolbar
4. Enter Name and select Web SSO as the typean appropriate friendly "Name", then select 'Type' as "Web SSO":

              Image Modified

5. Click Save"SAVE" to create.
6. Click the Context Menu context "..." menu icon of the newly create logon procedure, select then "Logon Steps".

Image Removed

7. In the popup windows, click on Add

...

Select the "+ ADD" button on the top-right corner, to Add an authentication method.
8. Select the desired authentication method, e.g. such as "Static Password" (AD credentials):

               Image Modified

9. Click Save"SAVE" to create.
10. Repeat steps 7-9 to add more logon steps if desiredauthentication Logon Steps as necessary, e.g . "One-Time Password.":

               Image Modified

Create an Application

  1. In the main menu, select Authentication > Applicationnavigate to "Authentication | Applications"

               Image Modified


2. Click on Create

...

the button "+ CREATE"
3. Enter an a relevant friendly "Application Name"
4. Select a Realm that is bound to your domainfrom the drop-down your internal AD "Realm"
5. Select the newly created Logon ProcedureLogin Procedure created in a previous step:

              Image Modified


6. Click Savethe "SAVE" button to create.
7. Click the context "..." menu of the newly created applicationApplication, select Agent

...

then select "Agents"
8. Select from the list, the "Single Sign-on Server / SSO"

               

9. Click Save"SAVE" to confirm.
10. Click Finally click the context "..." menu of the newly created applicationApplication, then select "Self Test

Image Removed

11. If configured correctly all the tests should pass, as below.

" to confirm all associations are in place:

                Image Modified


Create a SAML 2.0 Service Provider Configuration for Citrix Workspace.


1. In the main menu, select navigate to "Identity > | Identity Attributes"

                 


2. Select the "Identity Source that the domain you wish to use for authentication is bound to

Image Removed

3. Click on Create on the top right.

...

" associated with your internal Domain, for authentication:

                 Image Added


3. Then select "CREATE" to confirm.
4. Create a new identity attribute called objectSid named "objectSID", plus matching the settings as per screen shot below. Make sure the data type in the screenshot below.
    Note 'Data Type' is set to Binary"BINARY":

                 Image Modified


5. Click Save"SAVE" to confirm. You will now should now see the objectSid "objectSID" attribute listed under 'Identity Attributes':

Image Modified


6. Log into in to Citrix Cloud

7. Click on the menu icon on at the top left .of the console:

             

8. Select Identity and Access Management from At the drop-down menu, that appears:select "Identity and Access Management": 

             


9. Click on the the Ellipsis (…) next to SAML and , then click "Connect from " from the drop-down option.


             Image Modified


10. On the Configure Saml page "Configure SAML" page, click next to "SAML Metadata" option.

             


11. On the Back within DualShield Administration Console, select navigate to "SSO > | Service Providers"...

             


12. Click Create

...

. Select "CREATE" to confirm.
13. In the "SSO Server" field, select your DualShield the default SSO server Server from the list, "Single Sign-on Server"
14. In the "Name field" field, enter the name an appropriate "Name" for the Service Provider to be created
15. In at the "Type field" drop-down, select "SAML 2.0":

               Image Modified

...


16. Click the "CREATE METADATA" button. A 'Metadata' window will open.
17. Open the SAML

...

XML Metadata file you downloaded from the Citrix Cloud, in a text editor..


                   

  1. Select all and copy and past into the Service Provider Metadata box on DualShield.

Image Removed

  1. Click Save
  2. Enable Sign on SAML Assertion under SAML Options

Image Removed

  1. Click on Attributes tab at the top Image Removed

...

18. Select All - then Copy. Paste this content then in to the DualShield 'Metadata' window:

                   Image Added


19. Click "SAVE" to confirm.
20. Within 'SAML Options' enable tickbox options "Sign on SAML Assertion" and "Add 'InResponseTo' Attribute":

                    Image Added

21. Select the "Attributes" tab:

Image Added

We must now add the following Attribute names which are required by the Service Provider.

cip_email
cip_upn
cip_oid
cip_sid

With the exception

...

of cip_sid the above attributes will be mapped to their counterpart 'DualShield Identity Attributes', which in turn are mapped to the Active Directory account attributes.
For example:

Citrix SAML Attribute

DualShield Identity Attribute

AD Account Attribute

cip_email

email

mail

cip_upn

userPrincipalName

userPricipalName

cip_oid

uuid

ObjectGUID


       
        In steps Steps 1-5 you created a new Identity Attribute called objectSID. This will be specified in a script which will be applied to the cip_sid Citrix Attribute

  1. Click Create

Image Removed


        22. Click "+ CREATE" button
        23. On the Attributes builder specify Location as HTTP Body and enter cip_upn as the name for this attribute.

                  Image Modified


24. Click on the search symbol to the right of the "Maps To" field.

Image Removed

25. Select the identity source that will be used and select User Principal Name from the Maps to drop down list:

                 

...


26. Click "SAVE" button to update.
27. Click "SAVE" again
28. Repeat Steps 21 - 23, for the next attribute cip_oid

             


29. Repeat

...

Steps 24 & 25 but this time map to Unique Identifier

              Image Modified

...


30. Click "SAVE" to confirm
31. Click "SAVE" at the next window
32. Repeat the process above, one more time. Name the attribute cip_email and map to email.

              Image Modified

33. For cip_sid, create a new attribute and name it cip_sid

             

34. Under

...

'Value' section. select option "Script"

                Image Added


35.

...

Copy and paste the following script into the text box

...

:


Code Blockunmigrated-wiki-markup
if (!objectSid) return null;
\\
byte\[\] sid = objectSid.decodeHex();
\\
if (sid.length<8 || sid.length % 4 != 0) return "";
\\
StringBuilder sb = new StringBuilder();
sb.append("S-").append(sid\[0\]);
int c = sid\[1\]; // Init with Subauthority Count.
\\
// Default order is BIG_ENDIAN
java.nio.ByteBuffer bb = java.nio.ByteBuffer.wrap(sid);
sb.append("-").append((long)bb.getLong() & 0XFFFFFFFFFFFFL);
bb.order(java.nio.ByteOrder.LITTLE_ENDIAN); // Now switch.
\\
for (int i=0; i<c; i++) \{ // Create Subauthorities.
    sb.append("-").append((long)bb.getInt() & 0xFFFFFFFFL);
\}        
return sb.toString();


36. Click

...

"SAVE". The "Service Provider Attributes" window should now look like this

...

:

           


37. Click

...

"General Settings" at the top

       Image Modified


38. Set the default attribute to cip_upn (You can click anywhere in this field to change it.)

Image Removed

...


               Image Added


39. Finally click "SAVE" at the bottom to confirm settings.