single sign on for gotomeeting with netscaler - citrix · pdf filedeployment guide single sign...

21
Deployment Guide citrix.com Single Sign On for GoToMeeting with NetScaler Deployment Guide This deployment guide focuses on defining the process for enabling Single Sign On into GoToMeeting with Citrix NetScaler.

Upload: donhu

Post on 30-Mar-2018

245 views

Category:

Documents


4 download

TRANSCRIPT

Page 1: Single Sign On for GoToMeeting with NetScaler - Citrix · PDF fileDeployment Guide Single Sign On for GoToMeeting with NetScaler Deployment Guide This deployment guide focuses on defining

Deployment Guide

citrix.com

Single Sign On for GoToMeeting with NetScalerDeployment Guide

This deployment guide focuses on defining the process for enabling Single Sign On into GoToMeeting with Citrix NetScaler.

Page 2: Single Sign On for GoToMeeting with NetScaler - Citrix · PDF fileDeployment Guide Single Sign On for GoToMeeting with NetScaler Deployment Guide This deployment guide focuses on defining

Deployment Guide

citrix.com

Single Sign On for GoToMeeting with NetScaler

2

Table of Contents

Introduction 3

Configuration details 4

NetScaler features to be enabled 4

Solution description 5

Step 1: Configure GoToMeeting 5

Step 2: Configure NetScaler 8

To configure LDAP domain authentication 8

To Configure the SAML IDP Policy and Profile 11

To Configure your AAA Virtual Server 15

Troubleshooting 17

Conclusion 21

Page 3: Single Sign On for GoToMeeting with NetScaler - Citrix · PDF fileDeployment Guide Single Sign On for GoToMeeting with NetScaler Deployment Guide This deployment guide focuses on defining

Deployment Guide

citrix.com

Single Sign On for GoToMeeting with NetScaler

3

The Citrix NetScaler application delivery controller (ADC) is a world-class product with the proven ability to load balance, accelerate, optimize, and secure enterprise applications.

Citrix GoToMeeting is an online meeting, desktop sharing, and video conferencing software that enables the user to meet with other computer users, customers, clients or colleagues via the Internet in real time. It is designed to broadcast the desktop view of a host computer to a group of computers connected to the host through the Internet. Transmissions are protected with high-security encryption and optional passwords. By combining a web-hosted subscription service with software installed on the host computer, transmissions can be passed through highly restrictive firewalls.

Introduction

This guide focuses on defining the guidelines for enabling Citrix GoToMeeting single sign on with Citrix NetScaler.

Page 4: Single Sign On for GoToMeeting with NetScaler - Citrix · PDF fileDeployment Guide Single Sign On for GoToMeeting with NetScaler Deployment Guide This deployment guide focuses on defining

Deployment Guide

citrix.com

Single Sign On for GoToMeeting with NetScaler

4

Configuration DetailsThe table below lists the minimum required software versions for this integration to work suc-cessfully. The integration process should also work with higher versions of the same.

Product Minimum Required VersionNetScaler 11.0, Enterprise/Platinum License

NetScaler features to be enabledThe essential NetScaler feature that needs to be enabled is explained below.

• AAA-TM (Authentication, authorization and auditing - Traffic Management)

AAA-TMThe AAA feature set controls NetScaler authentication, authorization, and auditing policies. These policies include definition and management of various authentication schemas. NetScaler sup-ports a wide range of authentication protocols and a strong, policy-driven application firewall capability.

Page 5: Single Sign On for GoToMeeting with NetScaler - Citrix · PDF fileDeployment Guide Single Sign On for GoToMeeting with NetScaler Deployment Guide This deployment guide focuses on defining

Deployment Guide

citrix.com

Single Sign On for GoToMeeting with NetScaler

5

Solution descriptionThe process for enabling SSO into GoToMeeting with NetScaler consists of two parts – configura-tion of the Citrix Online portal, which handles organization logins for GoToMeeting and configuration of the NetScaler appliance. To begin with we will have to first complete the configu-ration for GoToMeeting to use the NetScaler appliance as a third party SAML IDP (Identity Provider). This can only be done with an organization account and after domain verification has been com-pleted. After this, the NetScaler should be configured as a SAML IDP by creating a AAA Virtual Server that will host the SAML IDP policy.

The following instructions assume that you have already created the appropriate external and/or internal DNS entries to route authentication requests to a NetScaler-monitored IP address, and that an SSL certificate has already been created and installed on the appliance for the SSL/HTTPS communication. This document also assumes that a GoToMeeting organization account has been created and domain verification for the same has been completed.

Step 1: Configure GoToMeeting/Citrix Online• In a web browser, navigate to the Citrix Online administrative page at https://account.citrixonline.

com/organization/administration/ • You will be redirected to the Citrix Online login page as shown below:

• Enter your organization administrator account login credentials and Click Sign In.

Page 6: Single Sign On for GoToMeeting with NetScaler - Citrix · PDF fileDeployment Guide Single Sign On for GoToMeeting with NetScaler Deployment Guide This deployment guide focuses on defining

Deployment Guide

citrix.com

Single Sign On for GoToMeeting with NetScaler

6

• After successful sign in, you will see the Citrix Organization Center screen, Click on the Identity provider link at the top of the page.

• In the Sign-in page URL field, enter: https://aaavip.domain.com/saml/login (where aaavip.domain.com is the FQDN of the AAA vserver on the NetScaler appliance). Set the sign-in binding as POST.

• In the Sign-out page URL field, enter: https://aaavip.domain.com/cgi/tmlogout (where aaavip.domain.com is the FQDN of the AAA vserver on the NetScaler appliance). Set the sign-out binding as POST . This setting is optional.

• In the Identity Provider Entity ID field, enter a unique identifier for the SAML identity pro-vider (here, we use nssaml). The same should be configured on the NetScaler appliance as well.

• For the Verification certificate, provide the certificate file that has been used for the SAML IDP AAA vserver. (aaavip.domain.com). The steps for obtaining this certificate are described after the screenshot shown below.

As all SAML assertions are signed using the private key configured on the SAML IDP (the AAA vserv-er on the NetScaler device) the associated certificate (public key) is required for signature verification.

Page 7: Single Sign On for GoToMeeting with NetScaler - Citrix · PDF fileDeployment Guide Single Sign On for GoToMeeting with NetScaler Deployment Guide This deployment guide focuses on defining

Deployment Guide

citrix.com

Single Sign On for GoToMeeting with NetScaler

7

To get the verification certificate from the NetScaler appliance, follow these steps:

1. Login to your NetScaler appliance via the Configuration Utility.2. Select Traffic Management > SSL3. On the right, under Tools, select Manage Certificates / Keys/ CSR’s

4. From the Manage Certificates window, browse to the certificate you will be using for your AAA Virtual Server. Select the certificate and choose the Download button. Save the certificate to a location of your choice.

Page 8: Single Sign On for GoToMeeting with NetScaler - Citrix · PDF fileDeployment Guide Single Sign On for GoToMeeting with NetScaler Deployment Guide This deployment guide focuses on defining

Deployment Guide

citrix.com

Single Sign On for GoToMeeting with NetScaler

8

Step 2: Configure NetScalerThe following configuration is required on the NetScaler appliance for it to be supported as a SAML identity provider for GoToMeeting:

• LDAP authentication policy and server for domain authentication• SSL certificate with external and internal DNS configured for the FQDN presented by the certifi-cate (Wildcard certificates are supported.)

• SAML IDP policy and profile• AAA virtual server

This guide only covers the configuration described above. The SSL certificate and DNS configura-tions should be in place prior to setup.

Configuring LDAP domain authenticationFor domain users to be able to log on to the NetScaler appliance by using their corporate email addresses, you must configure an LDAP authentication server and policy on the appliance and bind it to your AAA VIP address. (Use of an existing LDAP configuration is also supported)

1. In the NetScaler configuration utility, in the navigation pane, select Security > AAA – Application Traffic > Policies > Authentication > Basic Policies > LDAP.

2. To create a new LDAP policy: On the Policies tab click Add, and then enter GTM_LDAP_SSO_Policy as the name. In the Server field, click the ‘+’ icon to add a new server. The Authentication LDAP Server window appears.

3. In the Name field, enter GTM_LDAP_SSO_Server.

4. Select the bullet for Server IP. Enter the IP address of one of your Active Directory domain controllers. (You can also point to a virtual server IP for the purpose of redundancy if you are load balancing domain controllers)

5. Specify the port that the NetScaler will use to communicate with the domain controller. Use 389 for LDAP or 636 for Secure LDAP (LDAPS). Leave the other settings as is

Page 9: Single Sign On for GoToMeeting with NetScaler - Citrix · PDF fileDeployment Guide Single Sign On for GoToMeeting with NetScaler Deployment Guide This deployment guide focuses on defining

Deployment Guide

citrix.com

Single Sign On for GoToMeeting with NetScaler

9

6. Under Connection Settings, enter the base domain name for the domain in which the user accounts reside within the Active Directory (AD) for which you want to allow authentication. The example below uses cn=Users,dc=ctxns,dc=net.

7. In the Administrator Bind DN field, add a domain account (using an email address for ease of configuration) that has rights to browse the AD tree. A service account is advisable, so that there will be no issues with logins if the account that is configured has a password expiration.

8. Check the box for Bind DN Password and enter the password twice.

9. Under Other Settings: Enter samaccountname as the Server Logon Name Attribute.

10. In the SSO Name Attribute field, enter UserPrincipalName. Enable the User Required and Referrals options. Leave the other settings as they are.

Page 10: Single Sign On for GoToMeeting with NetScaler - Citrix · PDF fileDeployment Guide Single Sign On for GoToMeeting with NetScaler Deployment Guide This deployment guide focuses on defining

Deployment Guide

citrix.com

Single Sign On for GoToMeeting with NetScaler

10

11. Click on More at the bottom of the screen, then add mail as Attribute 1 in the Attribute Fields section. Leave Nested Group Extraction in the Disabled state (we are not going to be using this option for this deployment)

12. Click the Create button to complete the LDAP server settings.

13. For the LDAP Policy Configuration, select the newly created LDAP server from the Server drop-down list, and in the Expression field type ns_true.

14. Click the Create button to complete the LDAP Policy and Server configuration.

Page 11: Single Sign On for GoToMeeting with NetScaler - Citrix · PDF fileDeployment Guide Single Sign On for GoToMeeting with NetScaler Deployment Guide This deployment guide focuses on defining

Deployment Guide

citrix.com

Single Sign On for GoToMeeting with NetScaler

11

Configure the SAML IDP Policy and Profile

For your users to receive the SAML token for logging on to GoToMeeting, you must configure a SAML IDP policy and profile, and bind them to the AAA virtual server to which the users send their credentials.

Use the following procedure:1. Open the NetScaler Configuration Utility and navigate to Security > AAA – Application

Traffic > Policies > Authentication > Basic Policies > SAML IDP

2. On the Policies Tab, select the Add button.

3. In the Create Authentication SAML IDP Policy Window, provide a name for your policy (for example – GTM_SSO_Policy).

4. To the right of the Action field, click the ‘+’ icon to add a new action or profile.

5. Provide a name (for example, GTM_SSO_Profile).

6. In the Assertion Consumer Service URL field, enter https://login.citrixonline.com/saml/global.gotomeeting.com/acs

7. For the SP Certificate Name field, you will require the certificate that is used by the login.citrix-online.com portal. To get this certificate, open the login.citrixonline.com page in a web browser, then click on the green bar icon (shown below as visible in Google Chrome). In the window that is then shown, select the Connection tab, then click on Certificate Information.

Page 12: Single Sign On for GoToMeeting with NetScaler - Citrix · PDF fileDeployment Guide Single Sign On for GoToMeeting with NetScaler Deployment Guide This deployment guide focuses on defining

Deployment Guide

citrix.com

Single Sign On for GoToMeeting with NetScaler

12

In the window shown, select the Details tab, then click on Copy to File to export the certificate. Add this certificate in the NetScaler appliance by navigating to Traffic Management>SSL>Certificates and selecting the Install button. Provide the filename that you have saved the certificate to in the Certificate File Name field, then select Install.

Alternatively, if you are unable to access the login.citrixonline.com website during the deployment, save the text shown on the next page in a separate file, giving it an indicative name such as citrix.cer.

Page 13: Single Sign On for GoToMeeting with NetScaler - Citrix · PDF fileDeployment Guide Single Sign On for GoToMeeting with NetScaler Deployment Guide This deployment guide focuses on defining

Deployment Guide

citrix.com

Single Sign On for GoToMeeting with NetScaler

13

-----BEGIN CERTIFICATE-----

MIIGkjCCBXqgAwIBAgIQR9a7ev1iPafwDCfR62ZJFzANBgkqhkiG9w0BAQsFADB3MQswCQYDVQQG

EwJVUzEdMBsGA1UEChMUU3ltYW50ZWMgQ29ycG9yYXRpb24xHzAdBgNVBAsTFlN5bWFudGVjIFRy

dXN0IE5ldHdvcmsxKDAmBgNVBAMTH1N5bWFudGVjIENsYXNzIDMgRVYgU1NMIENBIC0gRzMwHhcN

MTUwNTIxMDAwMDAwWhcNMTYwNTI2MjM1OTU5WjCCARYxEzARBgsrBgEEAYI3PAIBAxMCVVMxGTAX

BgsrBgEEAYI3PAIBAgwIRGVsYXdhcmUxHTAbBgNVBA8TFFByaXZhdGUgT3JnYW5pemF0aW9uMRAw

DgYDVQQFEwczNzQwMDgwMQswCQYDVQQGEwJVUzEOMAwGA1UEEQwFOTMxMTcxEzARBgNVBAgMCkNh

bGlmb3JuaWExDzANBgNVBAcMBkdvbGV0YTEeMBwGA1UECQwVNzQxNCBIb2xsaXN0ZXIgQXZlbnVl

MRowGAYDVQQKDBFDaXRyaXggT25saW5lIExMQzETMBEGA1UECwwKT3BlcmF0aW9uczEfMB0GA1UE

AwwWbG9naW4uY2l0cml4b25saW5lLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB

AJkJYeVQ8/Xdue4xYIC1yYpiSx56A6AelM+ZPYXvmBtdqQQba9NfVwTbrsjyM7dSqQsGE1TGwrzy

8qoJsV9nZ0UAh4SSLcaNCCqDpX7HgPnwl0EZ6JdgjhvFjZj+ZQqEkpYFfE+SX9awhQLHA+vny6Mv

k+Xh7t/myO5m/tiKeA+3escTmEoCjQxPwKD4wScAqCDJG+a4kCb/kIzuRN2iyakRPpYoO2bmiu9n

TbkA4ZAl9Dgw6SxDWXX+rw8C9KmFqsfB2lGNBkMUTOXAfsNVjMOzTN1Bhm6la/mjYcou5NlyBCwk

YbMmbjBOPK/boDwxaHL+bJTepGTlVWHHEAuozR0CAwEAAaOCAncwggJzMCEGA1UdEQQaMBiCFmxv

Z2luLmNpdHJpeG9ubGluZS5jb20wCQYDVR0TBAIwADAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYw

FAYIKwYBBQUHAwEGCCsGAQUFBwMCMGYGA1UdIARfMF0wWwYLYIZIAYb4RQEHFwYwTDAjBggrBgEF

BQcCARYXaHR0cHM6Ly9kLnN5bWNiLmNvbS9jcHMwJQYIKwYBBQUHAgIwGRoXaHR0cHM6Ly9kLnN5

bWNiLmNvbS9ycGEwHwYDVR0jBBgwFoAUAVmr5906C1mmZGPWzyAHV9WR52owKwYDVR0fBCQwIjAg

oB6gHIYaaHR0cDovL3NyLnN5bWNiLmNvbS9zci5jcmwwVwYIKwYBBQUHAQEESzBJMB8GCCsGAQUF

BzABhhNodHRwOi8vc3Iuc3ltY2QuY29tMCYGCCsGAQUFBzAChhpodHRwOi8vc3Iuc3ltY2IuY29t

L3NyLmNydDCCAQMGCisGAQQB1nkCBAIEgfQEgfEA7wB2AKS5CZC0GFgUh7sTosxncAo8NZgE+Rvf

uON3zQ7IDdwQAAABTXaGNUYAAAQDAEcwRQIhALV1UQuevDa2R6kljKyc+0L8we+duH+xmwSaslRk

ngz+AiBvBEkAWCyG8HIW5gy6NXpkoBAnEOxXQxsioZ5ahFWD5QB1AFYUBpov18Ls0/XhvUSyPsdG

drm8mRFcwO+UmFXWidDdAAABTXaGNiUAAAQDAEYwRAIgRWbCvZsC7Q2KR1pQ9TTkG6U6ddAQq6la

fXjDDTm+l1wCIEX1vDWwado+3xrjNeIS/hFXPSyfJw+E3hG38pW1a+akMA0GCSqGSIb3DQEBCwUA

A4IBAQCoPX1KzVtsd/0LEZNcP9G4ZC8C6RXmYZpxpz/906pRIt0+/qA1oyh8kpi5WIlaGF4QpV7s

KaHeTc7vnRnlz2tIuB7MVLNf8ikoy5zkWqf164v1jciZkCW7BE3DXUxoEOT5Y/rm/9+yyTtqm+yc

V30AbE02AKnhHE02uiZYD4y6rrvdf1E8ogFJhtAp51p6m/zYgWC4w+w7kbZ+/XoFIjZ8XPPRRtp4

VZktM9rNPshZY54O6iuRt0BgFmU/kC8qtw3/UIYYsdZlQWc9Shho5X79yXN1HKB8OHRz084Vqdx8

pRWzAYY5vdU3m8Erv8KUTa0DPyibFRzmnnOyoRgjU7Oa

-----END CERTIFICATE-----

8. In the IDP Certificate Name field, browse to the certificate installed on the NetScaler that will be used to secure your AAA authentication Virtual Server.

9. In the Issuer Name field enter the identifier added earlier in the Identity Provider Entity ID field in the Citrix Organization Centre.

10. Set the Encryption Algorithm to AES256 and https://login.citrixonline.com/saml/sp as the Service Provider ID.

11. Set both the Signature and Digest algorithms to SHA-1.

12. Set the SAML Binding to POST.

Page 14: Single Sign On for GoToMeeting with NetScaler - Citrix · PDF fileDeployment Guide Single Sign On for GoToMeeting with NetScaler Deployment Guide This deployment guide focuses on defining

Deployment Guide

citrix.com

Single Sign On for GoToMeeting with NetScaler

14

13. Click on More, then put https://login.citrixonline.com/saml/sp in the Audience field.

14. Set the Skew Time to an appropriate value. This is the time difference that will be tolerated between the NetScaler appliance and the GoToMeeting server for the validity of the SAML assertion.

15. Set the Name ID Format to EmailAddress, and put HTTP.REQ.USER.ATTRIBUTE(1) in the Name ID Expression field. This directs NetScaler to provide the mail attribute that was defined ear-lier during LDAP configuration as the user ID for GoToMeeting.

Page 15: Single Sign On for GoToMeeting with NetScaler - Citrix · PDF fileDeployment Guide Single Sign On for GoToMeeting with NetScaler Deployment Guide This deployment guide focuses on defining

Deployment Guide

citrix.com

Single Sign On for GoToMeeting with NetScaler

15

16. Click Create to complete the SAML IDP profile configuration and return to the SAML IDP Policy creation window.

17. In the Expression field, add the following expression: HTTP.REQ.HEADER(“Referer”).CONTAINS(“citrixonline”)

18. Click Create to complete the SAML IDP Configuration.

To Configure your AAA Virtual Server

An employee trying to log in to GoToMeeting is redirected to a NetScaler AAA virtual server for evaluation of the employee’s corporate credentials. This virtual server listens on port 443, which requires an SSL certificate, in addition to external and/or internal DNS resolution of the virtual serv-er’s IP address on the NetScaler appliance. The following steps require preexistence of the virtual server and assume that the DNS name resolution is already in place, and that the SSL certificate is already installed on your NetScaler appliance.1. In the NetScaler Configuration Utility navigate to Security > AAA – Application Traffic >

Virtual Servers and click the Add button.

2. In the Authentication Virtual Server window, enter the virtual server’s name and IP address. (av1 and 10.105.157.62 in this example)

3. Scroll down and make sure that the Authentication and State check boxes are selected.

4. Click Continue.

5. In the Certificates section, select No Server Certificate.

6. In the Server Cert Key window, click Bind.

7. Under SSL Certificates, choose your AAA SSL Certificate and select Insert. (Note – This is NOT the GoToMeeting SP certificate.)

Page 16: Single Sign On for GoToMeeting with NetScaler - Citrix · PDF fileDeployment Guide Single Sign On for GoToMeeting with NetScaler Deployment Guide This deployment guide focuses on defining

Deployment Guide

citrix.com

Single Sign On for GoToMeeting with NetScaler

16

After completing the AAA configuration above, this is how the Basic Settings screen of the AAA vserver will look:

Page 17: Single Sign On for GoToMeeting with NetScaler - Citrix · PDF fileDeployment Guide Single Sign On for GoToMeeting with NetScaler Deployment Guide This deployment guide focuses on defining

Deployment Guide

citrix.com

Single Sign On for GoToMeeting with NetScaler

17

Troubleshooting

In order to help while troubleshooting, here is the list of entries that will be observed in the ns.log file (located at /var/log on the NetScaler appliance) for a successful SAML login (note that some of the entries such as encrypted hash values etc. will vary) –

Section 1: The NetScaler receives the authentication request from Citrix Online

Jan 8 08:35:27 <local0.debug> 10.105.157.60 01/08/2016:08:35:27 GMT 0-PPE-0 :

default AAATM Message 2789 0 : “SAMLIDP: ParseAuthnReq: signature method seen is 4”

Jan 8 08:35:27 <local0.debug> 10.105.157.60 01/08/2016:08:35:27 GMT 0-PPE-0 :

default AAATM Message 2790 0 : “SAMLIDP: ParseAuthnReq: digest method seen is SHA1”

Jan 8 08:35:27 <local0.debug> 10.105.157.60 01/08/2016:08:35:27 GMT 0-PPE-0 :

default AAATM Message 2791 0 : “SAML verify digest: digest algorithm SHA1, input for

digest: <saml2p:AuthnRequest xmlns:saml2p=”urn:oasis:names:tc:SAML:2.0:protocol” Asse

rtionConsumerServiceURL=”https://login.citrixonline.com/saml/acs”

Destination=”https://aaavip.domain.com/saml/login” ForceAuthn=”false” ID=”a40ifgjj86ff

dfig4h6jhgf83be2c7f” IsPassive=”false” IssueInstant=”2016-01-08T08:36:38.818Z” Protoco

lBinding=”urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST” Version=”2.0”><saml2:Issuer

xmlns:saml2=”urn:oasis:names:tc:SAML:2.0:assertion”>https://login.citrixonline.com/

saml/sp</saml2:Issuer><saml2p:NameIDPolicy Format=”urn:oasis:names:tc:SAML:1.1:name

id-format:emailAddress”></saml2p:NameIDPolicy></saml2p:AuthnRequest>”

Jan 8 08:35:27 <local0.debug> 10.105.157.60 01/08/2016:08:35:27 GMT 0-PPE-0 :

default AAATM Message 2792 0 : “SAML signature validation: algorithm is RSA-SHA1

input buffer is: <ds:SignedInfo xmlns:ds=”http://www.w3.org/2000/09/xmldsig#”><ds:Cano

nicalizationMethod Algorithm=”http://www.w3.org/2001/10/xml-exc-c14n#”></ds:Canonical

izationMethod><ds:SignatureMethod Algorithm=”http://www.w3.org/2000/09/xmldsig#rsa-

sha1”></ds:SignatureMethod><ds:Reference URI=”#a40ifgjj86ffdfig4h6jhgf83be2c7f”><ds:Tra

nsforms><ds:Transform Algorithm=”http://www.w3.org/2000/09/xmldsig#enveloped-signa-

ture”></ds:Transform><ds:Transform Algorithm=”http://www.w3.org/2001/10/

xml-exc-c14n#”></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm=”http://www.

w3.org/2000/09/xmldsig#sha1”></ds:DigestMethod><ds:DigestValue>NmXnyrf1DnRgVApPkKRkMv

cMZ5w=</ds:DigestValue></ds:Reference></ds:SignedInfo>”

Jan 8 08:35:27 <local0.debug> 10.105.157.60 01/08/2016:08:35:27 GMT 0-PPE-0 :

default SSLVPN Message 2793 0 : “core 0: initClientForReuse: making aaa_service_

fqdn_len 0 “

Page 18: Single Sign On for GoToMeeting with NetScaler - Citrix · PDF fileDeployment Guide Single Sign On for GoToMeeting with NetScaler Deployment Guide This deployment guide focuses on defining

Deployment Guide

citrix.com

Single Sign On for GoToMeeting with NetScaler

18

Section 2: Messages indicating successful authentication and extraction of parameters from the back-end LDAP server.

Jan 8 08:35:35 <local0.info> 10.105.157.60 01/08/2016:08:35:35 GMT 0-PPE-0 : default

AAA Message 2798 0 : “In update_aaa_cntr: Succeeded policy for user

administrator = ldap2”

Jan 8 08:35:35 <local0.debug> 10.105.157.60 01/08/2016:08:35:35 GMT 0-PPE-0 : default

AAATM Message 2799 0 : “extracted SSOusername: [email protected] for user

administrator”

Jan 8 08:35:35 <local0.debug> 10.105.157.60 01/08/2016:08:35:35 GMT 0-PPE-0 : default

SSLVPN Message 2800 0 : “sslvpn_extract_attributes_from_resp: attributes copied

so far are [email protected]

Jan 8 08:35:35 <local0.debug> 10.105.157.60 01/08/2016:08:35:35 GMT 0-PPE-0 : default

SSLVPN Message 2801 0 : “sslvpn_extract_attributes_from_resp: total len copied 28,

mask 0x1 “

Section 3: Messages verifying SAML transaction and sending of SAML assertion with signature

Jan 8 08:35:35 <local0.debug> 10.105.157.60 01/08/2016:08:35:35 GMT 0-PPE-0 : default

AAATM Message 2802 0 : “SAMLIDP: Checking whether current flow is SAML IdP flow,

inputR1RNX1NTT19Qcm9maWxlAElEPWE0MGlmZ2pqODZmZmRmaWc0aDZqaGdmODNiZTJjN2YmYmluZD1w

b3N0Jmh0dHBzOi8vZ2xvYmFsLmdvdG9tZWV0aW5nLmNvbS9qX3NwcmluZ19jYXNfc2VjdXJpdHlfY2hlY2s=”

NTT19Qcm9maWxlAElEPWE0MGlmZ2pqODZmZmRmaWc0aDZqaGdmODNiZTJjN2YmYmluZD1wb3N0Jmh0dHBzOi8

vZ2xvYmFsLmdvdG9tZWV0aW5nLmNvbS9qX3NwcmluZ19jYXNfc2VjdXJpdHlfY2hlY2s=”

Jan 8 08:35:35 <local0.info> 10.105.157.60 01/08/2016:08:35:35 GMT 0-PPE-0 : default

AAA EXTRACTED_GROUPS 2803 0 : Extracted_groups “ADSyncAdmins,ReportingGroup

{133115cb-a0b1-4a96-83db-2f4828ba1ecf},SQLAccessGroup {133115cb-a0b1-4a96-83db-2f48

28ba1ecf},PrivUserGroup {133115cb-a0b1-4a96-83db-2f4828ba1ecf},VPN-USER,RadiusUser,

LyncDL,ContentSubmitters,Organization Management,CSAdministrator,

RTCUniversalUserAdmins,RTCUniversalServerAdmins,Group Policy Creator Owners,

Domain Admins,Enterprise Admins,Schema Admins,Administrators”

Page 19: Single Sign On for GoToMeeting with NetScaler - Citrix · PDF fileDeployment Guide Single Sign On for GoToMeeting with NetScaler Deployment Guide This deployment guide focuses on defining

Deployment Guide

citrix.com

Single Sign On for GoToMeeting with NetScaler

19

Jan 8 08:35:35 <local0.info> 10.105.157.60 01/08/2016:08:35:35 GMT 0-PPE-0 :

default AAATM LOGIN 2804 0 : Context [email protected] - SessionId: 14- User

administrator - Client_ip 10.105.1.6 - Nat_ip “Mapped Ip” - Vserver 10.105.157.62:443

- Browser_type “Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko”

- Group(s) “N/A”

Jan 8 08:35:35 <local0.debug> 10.105.157.60 01/08/2016:08:35:35 GMT 0-PPE-0 :

default AAATM Message 2805 0 : “SAMLIDP: Checking whether current flow is SAML IdP

flow,inputR1RNX1NTT19Qcm9maWxlAElEPWE0MGlmZ2pqODZmZmRmaWc0aDZqaGdmODNiZTJjN2YmYmluZD1w

b3N0Jmh0dHBzOi8vZ2xvYmFsLmdvdG9tZWV0aW5nLmNvbS9qX3NwcmluZ19jYXNfc2VjdXJpdHlfY2hlY2s=”

Jan 8 08:35:35 <local0.debug> 10.105.157.60 01/08/2016:08:35:35 GMT 0-PPE-0 :

default SSLVPN Message 2806 0 : “UnifiedGateway: SSOID update skipped due to StepUp

or LoginOnce OFF, user: administrator”

Jan 8 08:35:35 <local0.debug> 10.105.157.60 01/08/2016:08:35:35 GMT 0-PPE-0 :

default AAATM Message 2807 0 : “SAML: SendAssertion: Response tag is <samlp:Response

xmlns:samlp=”urn:oasis:names:tc:SAML:2.0:protocol” Destination=”https://login.citrix-

online.com/saml/acs” ID=”_03eb9d5699676285fd093f69f05ee308” InResponseTo=”a40ifgjj86ff

dfig4h6jhgf83be2c7f” IssueInstant=”2016-01-08T08:35:35Z” Version=”2.0”><saml:Issuer

xmlns:saml=”urn:oasis:names:tc:SAML:2.0:assertion” Format=”urn:oasis:names:tc:SAML:2.

0:nameid-format:entity”>nssaml</saml:Issuer><samlp:Status><samlp:StatusCode Value=”ur

n:oasis:names:tc:SAML:2.0:status:Success”></samlp:StatusCode></samlp:Status>”

Jan 8 08:35:35 <local0.debug> 10.105.157.60 01/08/2016:08:35:35 GMT 0-PPE-0 :

default AAATM Message 2808 0 : “SAML: SendAssertion: Assertion tag is

<saml:Assertion xmlns:saml=”urn:oasis:names:tc:SAML:2.0:assertion” ID=”_03eb9d5699676

285fd093f69f05ee30” IssueInstant=”2016-01-08T08:35:35Z” Version=”2.0”><saml:Issuer

Format=”urn:oasis:names:tc:SAML:2.0:nameid-format:entity”>nssaml</saml:Issuer><saml:S

ubject><saml:NameID Format=”urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress”>A

[email protected]</saml:NameID><saml:SubjectConfirmation

Method=”urn:oasis:names:tc:SAML:2.0:cm:bearer”><saml:SubjectConfirmationData InRespons

eTo=”a40ifgjj86ffdfig4h6jhgf83be2c7f” NotOnOrAfter=”2016-01-08T08:50:35Z”

Recipient=”https://login.citrixonline.com/saml/acs”></saml:SubjectConfirmationData></

saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore=”2016-01-

08T08:20:35Z” NotOnOrAfter=”2016-01-08T08:50:35Z”><saml:AudienceRestriction><saml:Aud

ience>https://login.citrixonline.com/saml/sp</saml:Audience></

saml:AudienceRestriction></saml:Conditions>

Page 20: Single Sign On for GoToMeeting with NetScaler - Citrix · PDF fileDeployment Guide Single Sign On for GoToMeeting with NetScaler Deployment Guide This deployment guide focuses on defining

Deployment Guide

citrix.com

Single Sign On for GoToMeeting with NetScaler

20

Jan 8 08:35:35 <local0.debug> 10.105.157.60 01/08/2016:08:35:35 GMT 0-PPE-0 :

default AAATM Message 2809 0 : “SAML: SendAssertion, Digest Method SHA1, SignedInfo

used for digest is <ds:SignedInfo xmlns:ds=”http://www.w3.org/2000/09/xmldsig#”><ds:C

anonicalizationMethod Algorithm=”http://www.w3.org/2001/10/xml-exc-c14n#”></ds:Canoni

calizationMethod><ds:SignatureMethod Algorithm=”http://www.w3.org/2000/09/

xmldsig#rsa-sha1”></ds:SignatureMethod><ds:Reference URI=”#_03eb9d5699676285fd093f69f

05ee30”><ds:Transforms><ds:Transform Algorithm=”http://www.w3.org/2000/09/

xmldsig#enveloped-signature”></ds:Transform><ds:Transform Algorithm=”http://www.

w3.org/2001/10/xml-exc-c14n#”></ds:Transform></ds:Transforms><ds:DigestMethod

Algorithm=”http://www.w3.org/2000/09/xmldsig#sha1”></ds:DigestMethod><ds:DigestValue>

3jdU1JRMaYpTzr3HSb8R4vQ2z2Y=</ds:DigestValue></ds:Reference></ds:SignedInfo>”

Jan 8 08:35:35 <local0.debug> 10.105.157.60 01/08/2016:08:35:35 GMT 0-PPE-0 :

default AAATM Message 2810 0 : “SAML: SendAssertion, Signature element is

<ds:Signature xmlns:ds=”http://www.w3.org/2000/09/xmldsig#”><ds:SignedInfo

xmlns:ds=”http://www.w3.org/2000/09/xmldsig#”><ds:CanonicalizationMethod

Algorithm=”http://www.w3.org/2001/10/xml-exc-c14n#”></ds:CanonicalizationMethod><ds:S

ignatureMethod Algorithm=”http://www.w3.org/2000/09/xmldsig#rsa-sha1”></ds:SignatureM

ethod><ds:Reference URI=”#_03eb9d5699676285fd093f69f05ee30”><ds:Transforms><ds:Transf

orm Algorithm=”http://www.w3.org/2000/09/xmldsig#enveloped-signature”></

ds:Transform><ds:Transform Algorithm=”http://www.w3.org/2001/10/xml-exc-c14n#”></

ds:Transform></ds:Transforms><ds:DigestMethod Algorithm=”http://www.w3.org/2000/09/

xmldsig#sha1”></ds:DigestMethod><ds:DigestValue>3jdU1JRMaYpTzr3HSb8R4vQ2z2Y=</

ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>bLGCZXpcHjhkAI1gwZ0r

H17go6GNHXFyF8FJseUjM7aYMpwxQfHDLXZyVQaGuyBP/u6+tgrS2adrRtHRNUVtfX07gEQV9m7ZfZYY/

As5c1IXMY1+qYiAPBHBLSHx

Jan 8 08:35:35 <local0.debug> 10.105.157.60 01/08/2016:08:35:35 GMT 0-PPE-0 :

default SSLVPN Message 2811 0 : “core 0: initClientForReuse: making aaa_service_

fqdn_len 0 “

Page 21: Single Sign On for GoToMeeting with NetScaler - Citrix · PDF fileDeployment Guide Single Sign On for GoToMeeting with NetScaler Deployment Guide This deployment guide focuses on defining

0116/PDF

Corporate HeadquartersFort Lauderdale, FL, USA

Silicon Valley HeadquartersSanta Clara, CA, USA

EMEA HeadquartersSchaffhausen, Switzerland

India Development CenterBangalore, India

Online Division HeadquartersSanta Barbara, CA, USA

Pacific HeadquartersHong Kong, China

Latin America HeadquartersCoral Gables, FL, USA

UK Development CenterChalfont, United Kingdom

About CitrixCitrix (NASDAQ:CTXS) is leading the transition to software-defining the workplace, uniting virtualization, mobility management, networking and SaaS solutions to enable new ways for businesses and people to work better. Citrix solutions power business mobility through secure, mobile workspaces that provide people with instant access to apps, desktops, data and communications on any device, over any network and cloud. With annual revenue in 2014 of $3.14 billion, Citrix solutions are in use at more than 330,000 organizations and by over 100 million users globally. Learn more at www.citrix.com.

Copyright © 2016 Citrix Systems, Inc. All rights reserved. Citrix and NetScaler are trademarks of Citrix Systems, Inc. and/or one of its subsidiaries, and may be registered in the U.S. and other countries. Other product and company names mentioned herein may be trademarks of their respective companies..

Deployment Guide

citrix.com

Single Sign On for GoToMeeting with NetScaler

21

ConclusionNetScaler provides a secure and seamless experience with GoToMeeting by enabling single sign-on into GoToMeeting accounts, avoiding the need for users to remember multiple passwords and user IDs, while reducing the administrative overhead involved in maintaining these deployments.