Office 365 – Using NetScaler as SAML iDP

An alternative to using Microsoft ADFS (Active Directory Federation Services) as Identity Provider for accessing Office 365 cloud services, could be to use a pair of NetScaler Appliances.From a security point of view NetScaler is a great option for functioning as an authentication point.

There are a few how to guides out there that provides guideline for setting up NetScaler as an Identity Provider for Office 365. But I will document the steps that worked for me.

Intro

High-level overview

img-alternative-text

Intro to SAML

Illustration of SAML traffic flow:

img-alternative-text

Traffic flow – external access (High level description):

  1. User access Office 365 Portal for Sign In
  2. When the email address/sso domain are provided in the Microsoft O365 login form a HTTP Redirect happens to the NetScaler Gateway address (SAML Request to iDP)
  3. NetScaler Gateway authenticates the user on-prem with AD and RADIUS
  4. Based on successfull authentication NetScaler generates a SAML token/assertion (SAML Response)
  5. The SAML assertion is provided from the client to Microsoft O365 and the user is now logged in.

All SAML redirects happens in the client browser, unless using Artifact SAML Binding. This guide uses POST Binding for SAML.

Implementation

Requirements:

  • NetScaler Enterprise as minimum
  • Basic knowledge of following:
    • SAML (Security Assertion Markup Language)
    • Office 365 and Azure AD
    • PowerShell
    • NetScaler

Assumptions:

  • Following has already been configured:
    • LDAP and eg. RADIUS authentication for 2-factor is already applied to the NetScaler Gateway
    • Firewall rules has been implemented
    • Office 365 Licenses assigned
    • NetScaler and Office365 in Time Sync (Important for SAML to be successfull)
    • Azure AD Powershell modules installed:Download Azure AD PowerShell Modules

Prepare and Configure Office 365 as SAML SP (Service Provider)

Following PowerShell commands needs to be run from eg. the domain member where AD Sync intiates from and where Azure AD Modules are installed.

Remember to adjust configuration input accordingly, and always test before configuring in Production environment.

Prepare and Configure NetScaler as SAML iDP (Identity Provider)

In the scenario we use the NetScaler Gateway virtual server to handle the authentication, another option is to use an authentication virtual server (AAA Module).NS CLI for SAML iDP Authentication Policy:

Attribute 2 is referenced in the relevant LDAP authentication policy as “objectGUID”

img-alternative-text

Next part coming up is covering access to Office365 from internal clients, providing single sign on based on Kerberos authentication. (This post will be updated)

Leave a Reply