Create a Logon Procedure

  1. Login to the DualShield Administration Console
  2. In the main menu, select Authentication > Logon Procedures

3. Click the Create button on the toolbar

4. Enter Name and select Web SSO as the type

5. Click Save

6. Click the Context Menu icon of the newly create logon procedure, select Logon Steps

7. In the popup windows, click on Add

8. Select the desired authentication method, e.g. Static Password

9. Click Save

10. Repeat steps 7-9 to add more logon steps if desired, e.g. One-Time Password.


Create an Application

  1. In the main menu, select Authentication > Application


2. Click on Create


3. Enter an Application Name

4. Select a Realm that is bound to your domain

5.Select the newly created Logon Procedure


6. Click Save

7. Click the context menu of the newly created application, select Agent


8. Select Single Sign-on Server

9. Click Save

10. Click the context menu of the newly created application, select Self Test

11. If configured correctly all the tests should pass, as below.


Create a SAML 2.0 Service Provider Configuration for Citrix Workspace.


1. In the main menu, select Identity > Identity Attributes


2. Select the Identity Source that the domain you wish to use for authentication is bound to


3. Click on Create on the top right.

4. Create a new identity attribute called objectSid matching the settings as per screen shot below. Make sure the data type is set to Binary:


5. Click Save. You will now see the objectSid attribute listed under Identity Attributes


6. Log into Citrix Cloud

7. Click on the menu icon on the top left.

8. Select Identity and Access Management from the drop-down menu, that appears:


9. Click on the Ellipsis (…) next to SAML and click Connect from the drop -down option.



10. On the Configure Saml page click next to SAML Metadata


11. On the DualShield Administration Console, select SSO > Service Providers.


12. Click Create


13. In the SSO Server field, select your DualShield SSO server from the list

14. In the Name field, enter the name for the Service Provider to be created

15. In the Type field, select SAML 2.0 

  1. Click on
  2. Open the SAML metadata file you downloaded from the Citrix Cloud, in a text editor..


  1. Select all and copy and past into the Service Provider Metadata box on DualShield.

  1. Click Save
  2. Enable Sign on SAML Assertion under SAML Options

  1. Click on Attributes tab at the top

We are now going to add the following attribute names which are required by the Service Provider.
cip_email
cip_upn
cip_oid
cip_sid
With the exception of cip_sid the above attributes will be mapped to their counterpart DualShield Identity Attributes which in turn are mapped to the Active Directory account attributes.
For example:

Citrix SAML Attribute

DualShield Identity Attribute

AD Account Attribute

cip_email

email

mail

cip_upn

userPrincipalName

userPricipalName

cip_oid

uuid

ObjectGUID

In steps 1-5 you created a new Identity Attribute called objectSID. This will be specified in a script which will be applied to the cip_sid Citrix Attribute

  1. Click Create

  1. On the Attributes builder specify Location as HTTP Body and enter cip_upn as the name for this attribute.

  1. Click on the search symbol to the right of the Maps To field.

  1. Select the identity source that will be used and select User Principal Name from the Maps to drop down list:

  1. Click Save
  2. Click Save again
  3. Repeat steps 21 - 23 but this time name the attribute cip_oid

  1. Repeat steps 24 & 25 but this time map to Unique Identifier

  1. Click Save
  2. Click Save again
  3. Repeat the process above, one more time. Name the attribute cip_email and map to email.

  1. For cip_sid, create a new attribute and name it cip_sid

  1. Under the Value group box, select Script




  1. Copy and paste the following script into the text box.


if (!objectSid) return null;
\\
byte\[\] sid = objectSid.decodeHex();
\\
if (sid.length<8 || sid.length % 4 != 0) return "";
\\
StringBuilder sb = new StringBuilder();
sb.append("S-").append(sid\[0\]);
int c = sid\[1\]; // Init with Subauthority Count.
\\
// Default order is BIG_ENDIAN
java.nio.ByteBuffer bb = java.nio.ByteBuffer.wrap(sid);
sb.append("-").append((long)bb.getLong() & 0XFFFFFFFFFFFFL);
bb.order(java.nio.ByteOrder.LITTLE_ENDIAN); // Now switch.
\\
for (int i=0; i<c; i++) \{ // Create Subauthorities.
    sb.append("-").append((long)bb.getInt() & 0xFFFFFFFFL);
\}        
return sb.toString();


  1. Click Save. The Service Provider Attributes window should now look like this..

  1. Click on General Settings at the top

  1. Set the default attribute to cip_upn (You can click anywhere in this field to change it.)

  1. Click Save at the bottom.