An alternative to using Microsoft ADFS (Active Directory Federation Services) as Identity Provider for accessing Office 365 cloud services, could be to use a pair of NetScaler Appliances.From a security point of view NetScaler is a great option for functioning as an authentication point.
There are a few how to guides out there that provides guideline for setting up NetScaler as an Identity Provider for Office 365. But I will document the steps that worked for me.
Table of Contents
Intro
High-level overview
Intro to SAML
Illustration of SAML traffic flow:
Traffic flow – external access (High level description):
- User access Office 365 Portal for Sign In
- When the email address/sso domain are provided in the Microsoft O365 login form a HTTP Redirect happens to the NetScaler Gateway address (SAML Request to iDP)
- NetScaler Gateway authenticates the user on-prem with AD and RADIUS
- Based on successfull authentication NetScaler generates a SAML token/assertion (SAML Response)
- The SAML assertion is provided from the client to Microsoft O365 and the user is now logged in.
All SAML redirects happens in the client browser, unless using Artifact SAML Binding. This guide uses POST Binding for SAML.
Implementation
Requirements:
- NetScaler Enterprise as minimum
- Basic knowledge of following:
- SAML (Security Assertion Markup Language)
- Office 365 and Azure AD
- PowerShell
- NetScaler
Assumptions:
- Following has already been configured:
- LDAP and eg. RADIUS authentication for 2-factor is already applied to the NetScaler Gateway
- Firewall rules has been implemented
- Office 365 Licenses assigned
- NetScaler and Office365 in Time Sync (Important for SAML to be successfull)
- Azure AD Powershell modules installed:Download Azure AD PowerShell Modules
Prepare and Configure Office 365 as SAML SP (Service Provider)
Following PowerShell commands needs to be run from eg. the domain member where AD Sync intiates from and where Azure AD Modules are installed.
Remember to adjust configuration input accordingly, and always test before configuring in Production environment.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
##### Sign In to Microsoft Cloud with Tenant admin Connect-MsolService ##### Verify Domain DNS Get-MsolDomainVerificationDns -DomainName appdelivery.dk ##### Confirm Domain Confirm-MsolDomain –DomainName appdelivery.dk ##### Path to SAML Cert (Creates a SAML trust) $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("public-key-filepath-to-cer-file") ##### Convert to Base64 $certData = [system.convert]::tobase64string($cert.rawdata) ##### O365 SSO Domain and Branded name $dom = "DOMAIN" $fedBrandName = "AppDelivery" ##### URLs for sign in and out $uri = "https://login.appdelivery.dk/cgi/tmlogout" $url = "https://login.appdelivery.dk/saml/login" $ecpUrl = "https://login.appdelivery.dk/saml/login" ##### Configure Domain in O365 for Federation sign in Set-MsolDomainAuthentication -DomainName $dom -federationBrandName $fedBrandName -Authentication Federated -PassiveLogOnUri $url -SigningCertificate $certData -IssuerUri $url -ActiveLogOnUri $ecpUrl -LogOffUri $uri –PreferredAuthenticationProtocol SAMLPSet-MsolDomainAuthentication -DomainName $dom -PassiveLogOnUri $url ##### Verify Domain settings Get-MsolDomainFederationSettings |
Prepare and Configure NetScaler as SAML iDP (Identity Provider)
In the scenario we use the NetScaler Gateway virtual server to handle the authentication, another option is to use an authentication virtual server (AAA Module).NS CLI for SAML iDP Authentication Policy:
1 |
add authentication samlIdPProfile saml_idp_o365_prof -samlIdPCertName public-wildcard-apptech.dk-2018 -assertionConsumerServiceURL "https://login.microsoftonline.com/login.srf" -samlIssuerName "https://login.apptech.dk/saml/login" -rejectUnsignedRequests OFF -audience urn:federation:MicrosoftOnline -NameIDFormat persistent -NameIDExpr "HTTP.REQ.USER.ATTRIBUTE(2).B64ENCODE" -Attribute1 IDPEmail -Attribute1Expr "HTTP.REQ.USER.ATTRIBUTE(2).B64DECODE" -Attribute1FriendlyName mail -Attribute1Format URI -Attribute2 ImmutableID -Attribute2Expr "HTTP.REQ.USER.ATTRIBUTE(2).B64ENCODE" -skewTime 10 |
Attribute 2 is referenced in the relevant LDAP authentication policy as “objectGUID”
1 2 |
add authentication samlIdPPolicy saml_pol_idp_o365 -rule "HTTP.REQ.HEADER(\"Referer\").SET_TEXT_MODE(IGNORECASE).CONTAINS(\"microsoftonline.com\") -action saml_idp_o365_prof bind vpn vserver nsg_xxx.demo.lab -policy saml_pol_idp_o365 -priority 100 |
Next part coming up is covering access to Office365 from internal clients, providing single sign on based on Kerberos authentication. (This post will be updated)