Citrix Cloud Azure Ad

Posted on  by



How to configure Azure Active Directory Domain Services for Citrix Cloud Workspaces with the lowest Total-Cost-of-Ownership in Azure Infrastructure-as-a-Service; Did you know these facts? For Azure MFA to work, your Active Directory must be synchronized with an Office 365 account through Azure AD Connect.

Citrix NetScalers can be licensed with an AAA module. This module can interact with Azure AD (and AD FS) using claims-based authentication. In the case of federating with Azure AD, Conditional Access can be used to require multi-factor authentication. An NPS Server is not required in this scenario. I’ve deployed a lot of 2 factor authentication products with Citrix NetScaler Gateway in my career but the one I’ve always liked a lot is Microsoft Azure Multi-Factor Authentication (MFA). I used to deploy this product years ago when it was called PhoneFactor. Microsoft purchased PhoneFactor in 2012 and I was worried that would be. On the Azure AD Connect server, launch powershell and run commands Import-Module ADSync & Start-ADSyncSyncCycle -PolicyType Delta. Otherwise, syncs are run every 30 minutes by default. Return to Citrix Cloud and add an administrator. Use the search box with Azure AD selected.

Solution end-goal

In this blog series, I want to guide you through the process of using Citrix Cloud, Citrix Machine Creation Services and Microsoft Azure. The end goal is to have a Citrix solution running entirely in the cloud. I will show you every little setting and configuration needed to get it running, but I am not going to show you how to optimize and customize the user experience in this series.

Citrix Cloud Azure Ad

Part 1

Citrix

In part one, I am going to show you how to log into Citrix Cloud, download the cloud connector and installing it on a virtual machine in Azure. There are a lot of screenshots in this blog series, so I am keeping each part on one subject, so the guide won’t be a mile long to read at once.

Prerequisites

To be able to follow this guide you need to have a few things in place before getting started. First, you will need to sign up to Citrix Cloud Virtual Apps and Desktops, this can be buying the product or as a trial. Then you will need to have two virtual machines in Azure, one will be used for the Citrix Cloud Connector and the other will be used for the image we want to use with Citrix Machine Creation Services (MCS). In the image below, you can see the two machines I have. Azure-CC01 is the Cloud Connector and the Azure-MCS-IMG is my image for MCS.

Setting up Citrix Cloud Connectors

When you have set up a trial or purchased Citrix Cloud, the first thing you want to do is to install the Citrix Cloud Connector on the resource location. The resource location is this guide will be Microsoft Azure, but to put it simply, it will be the “datacenter” where you will host your Citrix Virtual Delivery Agents (VDA) so any cloud or on-prem data center will do.

To install the Citrix Cloud Connector, click on the top left “hamburger” menu

Then select “Resource locations”

The first time you open this page you will have a default resource location, and you can use that if you want to. I have created a secondary resource location called “MTH – Citrixlab.dk”. To create a new Citrix Cloud Connector, click on the + sign above “Cloud Connectors”.

This will show the screen below. If you are running this on your PC you can download the agent and upload it to the machine you want to use as a Cloud Connector, or you can browse to the Citrix Cloud homepage from that machine directly and hit download from there.

It is important to download the Cloud Connector and not hit run when asked, this is important because the Cloud Connector needs to run with administrative privileges.

When downloaded browse to the location you saved the file to. Right-click the file and choose properties and then tick the box

Now right click the file again and hit “Run as administrator”

Click “Yes” to accept

Click “Sign In” to sign in to your Citrix Cloud account.

Fill in your username and password for Citrix Cloud.

In my case, I must select which customer I want to install this for along with the resource location. If you only have one resource location and one customer this won’t pop up. As you can see I have selected the resource location I created earlier called “MTH – Citrixlab.dk” when selected hit “Install”

After the installation completes you will see the screen below. Click on “Close” to finish the installation”.

Citrix Cloud Azure Ad

When the installation closes it will check connectivity towards Citrix Cloud, and this can take a few minutes to complete. It will be showing the screen below while testing.

When the test is successful you will see the screen below and you can hit “Close”

To verify the connectivity inside Citrix Cloud homepage you can click on your resource location and check the status on the connector. It should look like the screenshot below. The warning you can see is because I only have one Citrix Cloud Connector and should always have a minimum of two per resource location.

Citrix Cloud Azure Admin


Summary

Now we have our Citrix Cloud Connector virtual machine up and running in Azure and that means we are now able to install the virtual desktop agent onto your template machine. It is important to have at least two Cloud Connectors per site you install VDA’s on, but since this is a demo environment, I will just have the one I just installed.

This wraps up part 1 in this blog series, the next part will be on installing the VDA onto our template machine in Azure.

-->

In this tutorial, you learn how to integrate Citrix ShareFile with Azure Active Directory (Azure AD).Integrating Citrix ShareFile with Azure AD provides you with the following benefits:

  • You can control in Azure AD who has access to Citrix ShareFile.
  • You can enable your users to be automatically signed-in to Citrix ShareFile (Single Sign-On) with their Azure AD accounts.
  • You can manage your accounts in one central location - the Azure portal.

Prerequisites

To configure Azure AD integration with Citrix ShareFile, you need the following items:

Citrix Cloud Azure Advertising

CloudCitrix
  • An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here.
  • Citrix ShareFile single sign-on enabled subscription.

Scenario description

In this tutorial, you configure and test Azure AD single sign-on in a test environment.

  • Citrix ShareFile supports SP initiated SSO

Adding Citrix ShareFile from the gallery

To configure the integration of Citrix ShareFile into Azure AD, you need to add Citrix ShareFile from the gallery to your list of managed SaaS apps.

  1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
  2. On the left navigation pane, select the Azure Active Directory service.
  3. Navigate to Enterprise Applications and then select All Applications.
  4. To add new application, select New application.
  5. In the Add from the gallery section, type Citrix ShareFile in the search box.
  6. Select Citrix ShareFile from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

Configure and test Azure AD SSO for Citrix ShareFile

In this section, you configure and test Azure AD single sign-on with Citrix ShareFile based on a test user called Britta Simon.For single sign-on to work, a link relationship between an Azure AD user and the related user in Citrix ShareFile needs to be established.

To configure and test Azure AD single sign-on with Citrix ShareFile, perform the following steps:

Citrix Cloud Azure Ad Fas

  1. Configure Azure AD SSO - to enable your users to use this feature.

    1. Create an Azure AD test user - to test Azure AD single sign-on with Britta Simon.
    2. Assign the Azure AD test user - to enable Britta Simon to use Azure AD single sign-on.

  2. Configure Citrix ShareFile SSO - to configure the Single Sign-On settings on application side.

    1. Create Citrix ShareFile test user - to have a counterpart of Britta Simon in Citrix ShareFile that is linked to the Azure AD representation of user.

  3. Test SSO - to verify whether the configuration works.

Configure Azure AD SSO

Follow these steps to enable Azure AD SSO in the Azure portal.

Citrix With Azure

  1. In the Azure portal, on the Citrix ShareFile application integration page, find the Manage section and select single sign-on.

  2. On the Select a single sign-on method page, select SAML.

  3. On the Set up single sign-on with SAML page, click the edit/pen icon for Basic SAML Configuration to edit the settings.

  4. On the Basic SAML Configuration section, enter the values for the following fields:

    a. In the Sign-on URL text box, type a URL using the following pattern:https://<tenant-name>.sharefile.com/saml/login

    b. In the Identifier (Entity ID) textbox, type a URL using the following pattern:

    • https://<tenant-name>.sharefile.com
    • https://<tenant-name>.sharefile.com/saml/info
    • https://<tenant-name>.sharefile1.com/saml/info
    • https://<tenant-name>.sharefile1.eu/saml/info
    • https://<tenant-name>.sharefile.eu/saml/info

    c. In the Reply URL textbox, type a URL using the following pattern:

    • https://<tenant-name>.sharefile.com/saml/acs
    • https://<tenant-name>.sharefile.eu/saml/<URL path>
    • https://<tenant-name>.sharefile.com/saml/<URL path>

    Note

    These values are not real. Update these values with the actual Sign-On URL, Identifier and Reply URL. Contact Citrix ShareFile Client support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration section in the Azure portal.

  5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click Download to download the Certificate (Base64) from the given options as per your requirement and save it on your computer.

  6. On the Set up Citrix ShareFile section, copy the appropriate URL(s) as per your requirement.

Create an Azure AD test user

In this section, you'll create a test user in the Azure portal called B.Simon.

  1. From the left pane in the Azure portal, select Azure Active Directory, select Users, and then select All users.
  2. Select New user at the top of the screen.
  3. In the User properties, follow these steps:
    1. In the Name field, enter B.Simon.
    2. In the User name field, enter the username@companydomain.extension. For example, B.Simon@contoso.com.
    3. Select the Show password check box, and then write down the value that's displayed in the Password box.
    4. Click Create.
Azure

Assign the Azure AD test user

In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Citrix ShareFile.

  1. In the Azure portal, select Enterprise Applications, and then select All applications.
  2. In the applications list, select Citrix ShareFile.
  3. In the app's overview page, find the Manage section and select Users and groups.
  4. Select Add user, then select Users and groups in the Add Assignment dialog.
  5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the bottom of the screen.
  6. If you are expecting a role to be assigned to the users, you can select it from the Select a role dropdown. If no role has been set up for this app, you see 'Default Access' role selected.
  7. In the Add Assignment dialog, click the Assign button.

Configure Citrix ShareFile SSO

  1. To automate the configuration within Citrix ShareFile, you need to install My Apps Secure Sign-in browser extension by clicking Install the extension.

  2. After adding extension to the browser, click on Set up Citrix ShareFile will direct you to the Citrix ShareFile application. From there, provide the admin credentials to sign into Citrix ShareFile. The browser extension will automatically configure the application for you and automate steps 3-7.

  3. If you want to setup Citrix ShareFile manually, in a different web browser window, sign in to your Citrix ShareFile company site as an administrator.

  4. In the Dashboard, click on Settings and select Admin Settings.

  5. In the Admin Settings, go to the Security -> Login & Security Policy.

  6. On the Single Sign-On/ SAML 2.0 Configuration dialog page under Basic Settings, perform the following steps:

    a. Select YES in the Enable SAML.

    b. Copy the ShareFile Issuer/ Entity ID value and paste it into the Identifier URL box in the Basic SAML Configuration dialog box in the Azure portal.

    c. In Your IDP Issuer/ Entity ID textbox, paste the value of Azure Ad Identifier which you have copied from Azure portal.

    d. Click Change next to the X.509 Certificate field and then upload the certificate you downloaded from the Azure portal.

    e. In Login URL textbox, paste the value of Login URL which you have copied from Azure portal.

    f. In Logout URL textbox, paste the value of Logout URL which you have copied from Azure portal.

    g. In the Optional Settings, choose SP-Initiated Auth Context as User Name and Password and Exact.

  7. Click Save.

Citrix Cloud Azure Ad Mfa

Create Citrix ShareFile test user

  1. Log in to your Citrix ShareFile tenant.

  2. Click People -> Manage Users Home -> Create New Users -> Create Employee.

  3. On the Basic Information section, perform below steps:

    a. In the First Name textbox, type first name of user as Britta.

    b. In the Last Name textbox, type last name of user as Simon.

    c. In the Email Address textbox, type the email address of Britta Simon as brittasimon@contoso.com.

  4. Click Add User.

    Note

    The Azure AD account holder will receive an email and follow a link to confirm their account before it becomes active.You can use any other Citrix ShareFile user account creation tools or APIs provided by Citrix ShareFile to provision Azure AD user accounts.

Test SSO

In this section, you test your Azure AD single sign-on configuration with following options.

Citrix Netscaler On Azure

  • Click on Test this application in Azure portal. This will redirect to Citrix ShareFile Sign-on URL where you can initiate the login flow.

  • Go to Citrix ShareFile Sign-on URL directly and initiate the login flow from there.

  • You can use Microsoft My Apps. When you click the Citrix ShareFile tile in the My Apps, this will redirect to Citrix ShareFile Sign-on URL. For more information about the My Apps, see Introduction to the My Apps.

Next steps

Once you configure Citrix ShareFile you can enforce session control, which protects exfiltration and infiltration of your organization’s sensitive data in real time. Session control extends from Conditional Access. Learn how to enforce session control with Microsoft Cloud App Security.