Citrix Content Collaboration single sign-on configuration guide for Citrix Endpoint Management

You can configure the Citrix Endpoint Management server and Citrix Gateway to function as a SAML identity provider (IdP) for Citrix Content Collaboration. In this configuration, a user signing on to Citrix Content Collaboration using a web browser or other Citrix Files clients is redirected to the Citrix Endpoint Management environment for user authentication. After successful authentication by Citrix Endpoint Management, the user receives a SAML token that is valid for sign-in to their Citrix Content Collaboration account.

Prerequisites

A working configuration of Citrix Gateway and Citrix Endpoint Management server, which are already configured.

Configure SAML single sign-on for Citrix Files MDX apps

You can use the Citrix Endpoint Management Server along with Secure Hub to single sign-on (SSO) to Citrix Files MDX-wrapped applications. In this scenario, Secure Hub obtains a SAML token for the Citrix Content Collaboration sign-in using Citrix Endpoint Management server as an IdP.

1. Sign into the Citrix Endpoint Management Server using the URLhttps://:4443
2. Go toConfigure > ShareFile.
3. Use the Content Collaboration User Management Tool for user provisioning. SeeProvision user accounts and distribution groups.

SAML configuration for Citrix Files MDX apps is configured. If you want only to allow access to Citrix Content Collaboration using the Citrix Files MDX-wrapped applications, your configuration is complete. However, if you want to configure access for non-MDX Citrix Files clients, continue using the configuration guide.

Configuring Citrix Content Collaboration MDX SSO also enables user provisioning in the Citrix Endpoint Management server. Any users that are part of the selected roles and do not have an account in Citrix Content Collaboration are automatically provisioned by the Citrix Endpoint Management server based on how they first access Citrix Content Collaboration. To learn more about how Citrix Endpoint Management server provisions Citrix Content Collaboration users, see Knowledge Center articleCTX200431.

Configure Citrix Gateway

The following configuration is required on Citrix Gateway to support using Citrix Endpoint Management as a SAML identity provider:

Disable home page redirection

You must disable the default behavior for requests that come through the /cginfra path, so that the original requested internal URL is served to the user instead of the configured home page.

1. Edit the settings for the Citrix Gateway virtual server that is used for Citrix Endpoint Management sign-ins. Go toOther Settingsand clear the check box labeledRedirect to Home Page:

   

2. For theShareFilesetting, add the internal server name and port of your Citrix Endpoint Management server. For example:xms.citrix.lab:8443.
3. For theAppControllersetting, enter the address of your Citrix Endpoint Management server. This configuration authorizes requests to the specified URL through the /cginfra path.

Create a Citrix Content Collaboration session policy and request profile

1. In the Citrix Gateway configuration utility, selectCitrix Gateway > Policies > Sessionin the left navigation pane.
2. To create a session policy, on thePoliciestab, clickAdd…and then enterShareFile_Policyas the name.
3. To create an action, clickAdd…The Create Citrix Gateway session profile screen opens.
4. InName, enterShareFile_Profileas the session profile name.
5. On theClient Experiencetab:
   • ForHome Page, enternone.
   • ForSession Time-out, enter1.
   • EnableSingle Sign-on to Web Applications.
   • ForClientless Access, set toOn.
   • ForClientless Access Persistent Cookie, set toAllow.
   • ForCredential Index, selectPRIMARY.

   

6. On theSecuritytab, setDefault Authorization ActiontoAllow.

   

7. On thePublished Applicationstab:
   • ForICA Proxy, selectON.
   • InWeb Interface Address, enter your Citrix Endpoint Management server URL as shown.
   • InSingle Sign-on Domain, enter your Active Directory domain name.

   

   When configuring the Citrix Gateway session profile, the domain suffix entered into theSingle Sign-On Domainfield must match the Citrix Endpoint Management domain alias defined in LDAP.

8. ClickCreateto finish defining the session profile.
9. For theShareFile_Policyexpression, switch toClassic Policyand clickExpression Editor.

10. Specify the expression using aValueofNSC_FSRDand aHeader NameofCOOKIE.

    

11. ClickDone, clickCreate, and then clickClose.

    

配置在Ci策略trix Gateway virtual server

1. In the Citrix Gateway configuration utility, selectCitrix Gateway > Virtual Serversin the left navigation pane.
2. In theDetailspane, click your Citrix Gateway virtual server and then clickEdit.
3. Go toConfigured policies > Session policiesand clickAdd binding.
4. Select theShareFile_Policy.

5. Edit the auto-generated priority number for the inserted policy so that it has the lowest number (highest priority) compared to any other policies listed.

   

6. ClickDoneand then save the running Citrix Gateway configuration.

Modify single sign-on settings

1. Sign in to your account as a Citrix Content Collaboration administrator.
2. In the web interface, navigate toAdmin Settings > Security > Login & Security Policyand scroll down to theSingle Sign-Onsettings.

3. Edit theLogin URL.

   

   • Insert the external FQDN of the Citrix Gateway virtual serverplus /cginfra/https/before the Citrix Endpoint Management server FQDN and:8443after the FQDN.
   • Change the parameter&app=ShareFile_SAML_SPto use the internal name of the application. The internal name isShareFile_SAMLby default, but with each change to your configuration the internal name changes to append a number (ShareFile_SAML2, ShareFile_SAML3, and so on).
   • Add&nssso=trueto the end of the URL. For example:https://nsgateway.acme.com/cginfra/https/xms.citrix.lab:8443/samlsp/websso.do?action=authenticateUser&app=ShareFile_SAML&reqtype=1&nssso=true

每次编辑或重新创建应用,实习生al application name is updated with a number appended to the name. You also must update the Login URL to reflect the updated application name. The following example shows how the Login URL needs to change when the internal application name changes from “ShareFile_SAML” to “ShareFile_SAML2”

1. UnderOptional Settings, click theEnable Web Authenticationcheck box.

   

2. ClickSave.

Validate your configuration

1. Go tohttps://subdomain.sharefile.com/saml/login. You are redirected to the Citrix Gateway sign-in form.
2. Sign in with user credentials that are valid for the Citrix Gateway and Citrix Endpoint Management server environment you configured. Your Citrix Files folders atsubdomain.sharefile.comappear.