Configuring and Delivering Salesforce as a managed ... · Citrix.com|Solutions Guide|Configuring and Delivering Salesforce as a managed application to XenMobile Users with NetScaler

Citrix.com | Solutions Guide| Configuring and Delivering Salesforce as a managed application to XenMobile Users with NetScaler as the SAML IDP (Identity Provider)

1

Solution Guide

iOS Managed Configuration

Configuring and Delivering Salesforce as a managed application to XenMobile Users with NetScaler as the SAML IDP (Identity Provider)

Solution Guide


2

Introduction

Organizations, large and small, leverage Salesforce.com. With the ever-growing Mobile Workspace access to all your CRM data, existing customizations, and breakthrough productivity tools can now be protected for access from anywhere.

With the power of the XenMobile and Salesforce, you can now connect to customers in a whole new way, all from your mobile device.

Purpose of this document

This document is meant to guide administrators in configuring the below components;

• Salesforce.com for SAML Single Sign-On (SSO)

• NetScaler as an IDP

• Salesforce App Config via the XenMobile Console

The two uses cases that will be addressed with in this document are;

1. Salesforce SAML authentication using username and password

2. Salesforce SAML authentication using certificates


3

Configure Salesforce SAML 2.0 Setting for Single Sign-On

Prerequisites

1. Salesforce.com tenant needs to have Custom Domains enabled (e.g. customerdomain.my.salesforce.com)

SAML 2.0 SSO Configuration

1. Login to Salesforce.com as an administrator

2. From Setup, enter Single Sign-On Settings in the Quick Find box, then select Single Sign-On Settings, and click Edit.

3. Select SAML Enabled. You must enable SAML to view the SAML single sign-on settings. Click Save.

4. In SAML Single Sign-On Settings, click New.

5. Give this setting a Name for reference within your org. Salesforce inserts the corresponding API Name value.

6. Enter the Issuer. Often referred to as the entity ID for the identity provider and will be provided by your IDP. (e.g. https://saml.xenmobiledemo.com/saml/login)

7. Enter the custom domain for the Entity ID. You must share this information with your identity provider.


4

8. For the Identity Provider Certificate, use the Choose File button to locate and upload the SSL certificate you will be using for your AAA Virtual Server.

9. For the Request Signing Certificate, select the certificate you want from the ones saved in your Certificate and Key Management settings.

10. For the Request Signature Method, select the hashing algorithm for encrypted requests, RSA-SHA256. (make sure the setting in the NetScaler device matches this value)

11. For the SAML Identity Type, select Assertion contains the User’s Salesforce username.

12. For the SAML Identity Location, select Identity is in the NameIdentifier element of the Subject statement.

13. For the Service Provider Initiated Request Binding, select HTTP POST.

14. Enter the Identity Provider Login URL, as https://saml.DOMAIN.com/saml/login and the Identity Provider Logout URL, as https://saml.DOMAIN.com/cgi/tmlogout

15. Click Save.


5

Configure the NetScaler Appliance SAML authentication using username and password

Prerequisites

1. NetScaler software release 11.1 or later, with an Enterprise or Platinum license.

2. SSL certificate with external and internal DNS configured for the FQDN presented by the certificate (Wildcard certificates are supported.)

3. The Deny SSL Renegotiation setting (Traffic Management > SSL > Change Advanced SSL setting) needs to be set to NO.

Configure LDAP Domain Authentication

1. In the NetScaler configuration utility, in the navigation pane, select Security > AAA – Application Traffic > Policies > Authentication > Basic Policies > LDAP.

2. To create a new LDAP policy: On the Policies tab click Add, and then enter SFDC_LDAP_SSO_Policy as the name. In the Server field, click the ‘+’ icon to add a new server. The Authentication LDAP Server window appears.

• In the Name field, enter SFDC_LDAP_SSO_Server.

• Select the bullet for Server IP. Enter the IP address of one of your Active Directory domain controllers. (You can also point to a virtual server IP for the purpose of redundancy if you are load balancing domain controllers)

• Specify the port that the NetScaler will use to communicate with the domain controller. Use 389 for LDAP or 636 for Secure LDAP (LDAPS).

3. Under Connection Settings, enter the base domain name for the domain in which the user accounts reside within the Active Directory (AD) for which you want to allow authentication. The example below uses cn=Users,dc=xenmobiledemo,dc=com.

4. In the Administrator Bind DN field, add a domain account (using an email address for ease of configuration) that has rights to browse the AD tree. A service account is advisable, so that there will be no issues with logins if the account that is configured has a password expiration.


6

5. Check the box for Bind DN Password and enter the password twice.

6. Under Other Settings: Enter UserPrincipalName as the Server Logon Name Attribute.

7. In the SSO Name Attribute field, enter UserPrincipalName. Enable the User Required and Referrals options. Leave the other settings as they are.

8. Click on More at the bottom of the screen, then add mail as Attribute 1 in the Attribute Fields section.

9. Click the Create button to complete the LDAP server settings.


7

10. For the LDAP Policy Configuration, select the newly created LDAP server from the Server drop-down list, and in the Expression field type ns_true.

Configure the SAML IDP Policy and Profile

For your users to receive the SAML token for logging on to SFDC, you must configure a SAML IDP policy and profile, and bind them to the AAA virtual server to which the users send their credentials. Use the following procedure:

1. Open the NetScaler Configuration Utility and navigate to Security > AAA – Application Traffic > Policies > Authentication > Advanced Policies > SAML IDP

2. On the Policies Tab, select the Add button.

3. In the Create Authentication SAML IDP Policy Window, provide a name for your policy (for example – SFDC_ SSO_Policy).

4. To the right of the Action field, click the ‘+’ icon to add a new action or profile.

5. Provide a name (for example, SFDC_SSO_Profile).

6. In the Assertion Consumer Service URL field, enter the URL obtained earlier during SFDC configuration (https://<yourdomain>.my.salesforce.com?so=<encoded value>)

7. In the SP Certificate Name, provide the name for the certificate that was downloaded from SFDC and added to the NetScaler. In case you haven’t, you may do so here by clicking on the + button and providing the certificate file and requisite information.

8. In the IDP Certificate Name field, browse to the certificate installed on the NetScaler that will be used to secure your AAA authentication Virtual Server.

9. In the Issuer Name field enter https://<AAA vserver FQDN>/saml/login

10. Set the Encryption Algorithm to AES256

11. Set the Service Provider ID field to https://<yourdomain>.my.salesforce.com.

12. Set both the Signature and Digest algorithms to SHA-1.

13. Set the SAML Binding to POST.


8

14. Click on More, then put https://<yourdomain>.my.salesforce.com in the Audience field.

15. Set the Skew Time to an appropriate value. This is the time difference that will be tolerated between the NetScaler appliance and the SFDC server for the validity of the SAML assertion.

16. Set the Name ID Format to Unspecified, and put HTTP.REQ.USER.ATTRIBUTE(1) in the Name ID Expression field. This directs NetScaler to provide the mail attribute that was defined earlier during LDAP configuration as the user ID for SFDC.

17. Click Create to complete the SAML IDP profile configuration and return to the SAML IDP Policy creation window.


9

18. In the Expression field, add the following expression: HTTP.REQ.HEADER("Referer").CONTAINS("salesforce")

19. Click Create to complete the SAML IDP Configuration.

To Configure your AAA Virtual Server

An employee trying to log in to SFDC is redirected to a NetScaler AAA virtual server that validates the employee's user certificate. This virtual server listens on port 443, which requires an SSL certificate. External and/or internal DNS resolution of the virtual server's IP address (which is on the NetScaler appliance) is also required. The following steps require a preexisting virtual server to be in place. In addition, they assume that DNS name resolution is already in place, and that the SSL certificate is already installed on your NetScaler appliance.

1. In the NetScaler Configuration tab navigate to Security > AAA – Application Traffic > Virtual Servers and click the Add button.

2. In the Authentication Virtual Server window, enter the virtual server's name and IP address. (XMD_AV1 and 10.61.252.87 in this example)

3. Scroll down and make sure that the Authentication and State check boxes are selected.

4. Click Continue.

5. In the Certificates section, select No Server Certificate.

6. Under Select Server Certificate, choose your AAA SSL Certificate and select. (Note – This is NOT the SFDC SP certificate.) and Click Bind.

7. Click Continue.

8. Under Advanced Authentication Policies click No Authentication Policy to add a Policy Binding

9. From the Select Policy window, select Choose Policy from the drop-down list, select the select the SFDC_SSO_Policy created earlier, and Click Select.

10. Click Bind.


10

11. Under Advanced Authentication Policies click No SALM IDP Policy to add a Policy Binding, and click Add Binding.


13. Click Bind.

14. Click Continue.

15. Click Done.

After completing the AAA configuration above, this is how the Basic Settings screen of the AAA vserver will look:


11

Configure the NetScaler Appliance SAML authentication using certificate

Prerequisites

1. NetScaler software release 11.1 or later, with an Enterprise or Platinum license.

2. SSL certificate with external and internal DNS configured for the FQDN presented by the certificate (Wildcard certificates are supported.)

3. The Deny SSL Renegotiation setting (Traffic Management > SSL > Change Advanced SSL setting) needs to be set to NO.

Configure Certificate Authentication

1. In the NetScaler configuration utility, in the navigation pane, select Security > AAA – Application Traffic > Policies > Authentication > Basic Policies > Cert.

2. To create a new CERT policy: On the Policies tab click Add, and then enter SFDC_CertBased_Policy as the name. In the Server field, click the ‘+’ icon to add a new Profile. The Create Authentication CERT Profile window appears.

• In the Name field, enter SFDC_CertBased.

• Select the bullet for OFF under Two Factor.

• From the dropdown under User Name Field select Subject:CN

• From the dropdown under Group Name Field select SubjectAltName:PrincipalName

3. Click the Create button to complete the CERT Profile settings.

4. For the CERT Policy Configuration, select the newly created CERT server from the Server drop-down list, and in the Expression field type ns_true.

5. Click the Create button to complete the CERT Policy settings


12

Configure the SAML IDP Policy and Profile

For your users to receive the SAML token for logging on to SFDC, you must configure a SAML IDP policy and profile, and bind them to the AAA virtual server to which the users send their credentials. Use the following procedure:

1. Open the NetScaler Configuration Utility and navigate to Security > AAA – Application Traffic > Policies > Authentication > Advanced Policies > SAML IDP

2. On the Policies Tab, select the Add button.

3. In the Create Authentication SAML IDP Policy Window, provide a name for your policy (for example – SFDC_ SSO_Policy).

4. To the right of the Action field, click the ‘+’ icon to add a new action or profile.

5. Provide a name (for example, SFDC_SSO_Profile).

6. In the Assertion Consumer Service URL field, enter the URL obtained earlier during SFDC configuration (https://<yourdomain>.my.salesforce.com?so=<encoded value>)

7. In the SP Certificate Name, provide the name for the certificate that was downloaded from SFDC and added to the NetScaler. In case you haven’t, you may do so here by clicking on the + button and providing the certificate file and requisite information.

8. In the IDP Certificate Name field, browse to the certificate installed on the NetScaler that will be used to secure your AAA authentication Virtual Server.

9. In the Issuer Name field enter https://<AAA vserver FQDN>/saml/login

10. Set the Encryption Algorithm to AES256

11. Set the Service Provider ID field to https://<yourdomain>.my.salesforce.com.

12. Set both the Signature and Digest algorithms to SHA-1.

13. Set the SAML Binding to POST.


13

14. Click on More, then put https://<yourdomain>.my.salesforce.com in the Audience field.

15. Set the Skew Time to an appropriate value. This is the time difference that will be tolerated between the NetScaler appliance and the SFDC server for the validity of the SAML assertion.

16. Set the Name ID Format to Unspecified, and put HTTP.REQ.USER.NAME in the Name ID Expression field. This directs NetScaler to provide the User Name as the user ID for SFDC.

17. Click Create to complete the SAML IDP profile configuration and return to the SAML IDP Policy creation window.


14

18. In the Expression field, add the following expression: HTTP.REQ.HEADER("Referer").CONTAINS("salesforce")

19. Click Create to complete the SAML IDP Configuration.

To Configure your AAA Virtual Server

An employee trying to log in to SFDC is redirected to a NetScaler AAA virtual server that validates the employee's corporate credentials. This virtual server listens on port 443, which requires an SSL certificate. External and/or internal DNS resolution of the virtual server's IP address (which is on the NetScaler appliance) is also required. The following steps require a preexisting virtual server to be in place. In addition, they assume that DNS name resolution is already in place, and that the SSL certificate is already installed on your NetScaler appliance.

1. In the NetScaler Configuration tab navigate to Security > AAA – Application Traffic > Virtual Servers and click the Add button.

2. In the Authentication Virtual Server window, enter the virtual server's name and IP address. (XMD_AV1 and 10.61.252.87 in this example)

3. Scroll down and make sure that the Authentication and State check boxes are selected.

4. Click Continue.

5. In the Certificates section, select No Server Certificate.

6. Under Select Server Certificate, choose your AAA SSL Certificate and select. (Note – This is NOT the SFDC SP certificate.) and Click Bind.

7. In the Certificates section, select No CA Certificate.

8. In the Server Cert Key window, click Bind.

9. Under Select CA Certificate, choose your CA Root Certificate and Click Select.

10. Under CRL and OSCP Check, choose your OCSP Optional and Click Bind.

11. Click Continue.

12. Under Advanced Authentication Policies click No Authentication Policy to add a Policy Binding

13. From the Select Policy window, select Choose Policy from the drop-down list, select the Cert_Policy created earlier, and Click Select.


15

14. Click Bind.

15. Under Advanced Authentication Policies click No SALM IDP Policy to add a Policy Binding, and click Add Binding.


17. Click Bind.

18. Click Continue.

19. Under Advanced Settings select Login Schemas click No Login Schema to add a Policy Binding, from the Select Policy dropdown select Cert_LoginSchema and click Select.

20. Click Bind.

21. Click Done.

After completing the AAA configuration above, this is how the Basic Settings screen of the AAA vserver will look:


16

iOS Managed Configuration: Salesforce via the XenMobile Console

Prerequisites

1. The Salesforce must be an MDM-managed application with in the XenMobile Server.

2. XenMobile server needs to be setup to integrate with a PKI entity for obtaining a user cert. (Only Required if you are using Certificate Based Auth)

3. XenMobile needs to push a Credential Policy to the device, to provision a user cert to the device. (Only Required if you are using Certificate Based Auth)

Configure the Salesforce App Config Policy

For your users Salesforce application to be configured, you must configure and deploy an App Configuration Policy with in the XenMobile server. This policy will assign the customers Salesforce environment as well as additional DLP settings. Use the following procedure:

1. In the XenMobile console navigate to Configure > Device Policies and click the Add button.

2. Select App Configuration, name your policy and click Next.

3. We will be only configuring iOS, so you can uncheck any other OS options.

4. In the Identifier drop down select the Salesforce App ID (com.salesforce.chatter) and select it.

5. If you do not see it, select Add New, and enter the Salesforce App ID (com.salesforce.chatter)

6. In the Dictionary Content you will need to enter your desired application configurations.

There are a number of Configuration options see the samples below;

a. For Certificate Based Authentication

<dict> <key>RequireCertAuth</key><true></true> <key>ClearClipboardOnBackground</key><true></true> <key>AppServiceHosts</key><string>customerdomain.my.salesforce.com</string> <key>AppServiceHostLabels</key><string>CustomerSalesforceLabel </string> <key>OnlyShowAuthorizedHosts</key><true></true> </dict>


17

b. For User Name and Password Based Authentication

<dict> <key>RequireCertAuth</key><false></false> <key>ClearClipboardOnBackground</key><true></true> <key>AppServiceHosts</key><string>customerdomain.my.salesforce.com</string> <key>AppServiceHostLabels</key><string>CustomerSalesforceLabel </string> <key>OnlyShowAuthorizedHosts</key><true></true> </dict>

7. Click Next.

8. Assign the policy to the desired Delivery Group and Click Save.


18

Salesforce App Configuration Key Definitions

Key Description Key-Value Pair

RequireCertAuth

If true, the certificate-based authentication flow initiates. iOS: Redirects the user to Safari for all authentication requests.

false

AppServiceHosts Login hosts. First value in the array is the default host.

customerdomain.my.salesforce.com

AppServiceHostLabels Labels for the hosts CustomerSalesforceLabel

OnlyShowAuthorizedHosts

If true, prevents users from modifying the list of hosts that Salesforce can connect to.

true

ClearClipboardOnBackground

If true, the contents of the iOS clipboard are cleared when the mobile app is backgrounded. This prevents the user from accidentally copying and pasting sensitive data outside of the application.

true

https://resources.docs.salesforce.com/208/latest/en-us/sfdc/pdf/salesforce1_mobile_security.pdf

• App Tunnel (per-app VPN)

o With the iOS per app-VPN feature, you can leverage the VPN profile in conjunction with the Citrix VPN app on a XenMobile-managed iOS device. There, you can establish an on-demand VPN tunnel to the enterprise network for a desired set of applications installed on the device.

o Per App VPN with XenMobile and Citrix VPN Blog

Conclusion

With the power of the XenMobile and Salesforce, you can now connect to customers in a whole new way, all from your mobile device.


19

About the Authors and Contributors

Frank Srp is a Senior Technical Marketing Manager specialized on Mobility, Citrix.

Sujit Narayanan is a Principal Product Manager, Citrix.

Vijaya Raghavan is a Senior Product Manager, Citrix.

A special thanks to the reviewers of this Solutions Brief:

• Matthew Brooks

• Amandeep Nagra

• Tarkan Kocoglu

Enterprise Sales North America | 800-424-8749 Worldwide | +1 408-790-8000 Locations Corporate Headquarters | 851 Cypress Creek Road Fort Lauderdale, FL 33309, United States Silicon Valley | 4988 Great America Parkway Santa Clara, CA 95054, United States © 2017 Citrix Systems, Inc. All rights reserved. Citrix, the Citrix logo, and other marks appearing herein are property of Citrix Systems, Inc. and/or one or more of its subsidiaries, and may be registered with the U.S. Patent and Trademark Office and in other countries. All other marks are the property of their respective owner(s).

Documents

Configuring and Delivering Salesforce as a managed ... · Citrix.com|Solutions Guide|Configuring and Delivering Salesforce as a managed application to XenMobile Users with NetScaler