OpenID Connect / OAuth 2.0. Integration with XenApp through Unified Gateway

OpenID Connect / OAuth 2.0. Integration with XenApp through Unified Gateway

11:05 AM
OpenID Connect / OAuth 2.0. Integration with XenApp through Unified Gateway -

In this article we will examine how OpenID Connect authentication with the XenApp (XA) environment to integrate

enables integration a user log on to a published XenApp application on Google and seamlessly to start without Active Directory (AD) provides creds.

for this article, the user "https receives. //oauth2.lab.com 'As the user navigates to the URL, they are directed to authenticate Google After logging in via Google, a Google Mail. address and password, the user is presented with published XenApp applications in NetScaler Gateway the application starts without additional authentication challenge -. not a requirement for Active Directory creds

for our endeavor, we will use a few new NetScaler 11.0 functions listed as follows .:

  1. oAuth 2.0 (Under AAA) - providing OpenID Connect authentication
  2. Unified access - combines AAA and NetScaler Gateway (NG) authentication
  3. content Switch -. The ability to switch traffic to a NG vServer Before traffic can only to a LB vServer

in addition, the following storefront (SF) feature will be switched into action:

  1. Protocol transition by smart card authentication
  2. Kerberos constraint delegation (KCD) for XA6 .5 Delivery controller (XML Broker)

Finally, the following Active Directory features are required, as well:

  1. Kerberos and delegation
  2. Explicit UserPrincipalName (eUPN) and implicit UPN (iUPN)

to provide the above-mentioned user experience, four (4) rounds of Single Sign-on ( SSO) must be done in the background. They are listed as follows, in chronological order:

  1. Google for NetScaler (AAA) by OpenID Connect
  2. NetScaler (AAA) to NG through Unified Gateway
  3. NG SF by smart card authentication
  4. SF XA Delivery controller and session hosts by Kerberos constraint delegation (KCD)

in the following sections we will delve into technical details, which enables our user experience.

OpenID Connect / oAuth outsource 2.0

We use OpenID Connect authentication NetScaler Gateway to Google.

oAuth 2.0, an enabling framework is described here at https://tools.ietf.org/html/rfc6749.

OpenID Connect, an identity layer built on top of oAuth 2.0, there is an authentication protocol make, at http://openid.net/connect/faq/

is the purpose of OpenID Connect described herein, the ability to ask for a web application is available outsource authentication to a third.

the following screenshot shows that you can sign up or log in quorums by third authentication providers such as Google, Facebook or Twitter.

1

To understand how the protocol works in a nutshell, and their implementation on the NetScaler take, please take a look at the chart below.

2

Hopefully the pictorial representation of the traffic flow, above, is simple. If you, please link to find the hundred pages long protocol specification like in the previous section.

OAuth 2.0 occurs between flow 4 to 7

OpenID Connect, pieces an identity built on top oAuth 2.0 is shown in flow 8 and 9

If you familiar with SAML are, you will find that the above notice Share flows some similarities.

However, in SAML, the Service Provider (SP) and Identity Provider (IDP) never be communicated between a physical network connection, such as the news passed on the user agent (eg Web browser) over HTTP redirects.

is required in oAuth 2.0 / OpenID Connect, a direct network connection between the NetScaler and Google, oAuth 2.0 to use with Google to rates from 6 bis 9

support, you must oAuth receive 2.0 credentials so as a client ID and client secret that both Google and NetScaler are known. This process is documented by Google in https://developers.google.com/identity/protocols/OAuth2?hl=en

The following screenshot shows how this might look.

3

Once the details of Google are obtained, we can then configure the NetScaler accordingly, as shown below.

4

as OpenID Connect / oAuth 2.0 is an advanced authentication function, it falls below AAA, and is therefore not as an authentication option for NG available.

as a result the only way to use them involves oAuth policies to a AAA bond vServer and then assign it to the AAA vServer on a LB vServer.

they let us take a look at how they work in practice.

screenshot below is a client-side HTTP traffic trace, it captures HTTP transactions over the authentication process. Traffic irrelevant dimmed for authentication.

Please note that HTTP is a transaction based protocol, an HTTP request sense to an HTTP response corresponding. The request is shown on reaction, and the two are separated by a blank line, in the following analysis.

is only relevant information appears brevity within each HTTP transaction.

5

transaction 1 (number on the left side shown), shows that the user is redirected to authenticate to Google, via an HTTP 302 response, the URL the provides for the next HTTP request.

The 'Location' header value in the HTTP response contains information obtained by Google in oAuth registration. For example, Client ID

6

transactions 2 ~ 13 (low), where processes Google login, not relevant, therefore, been omitted for brevity.

transaction 14, below, shows that the user is redirected back to the NetScaler (https://oauth2.lab.com) have authenticated via an HTTP 302, after successfully at Google.

Please note that subsidy code (4 / NdXsMCIwy38cCVeHg7tyJfBlR2bYL8m4Dz6YNUD8_ss) returned by Google.

7

The following shows part of the transaction request 15 that the 'Location' header value corresponding to (URL) of the HTTP response in the transaction 14. [1945004[

8

, the above GET request, grant forwards code to the NetScaler, as indicated by the "host" header.

Once the NetScaler granting receive code, it then contacts Google in the background, contends granting code, in exchange for a access token .

As mentioned above, this communication takes place directly between the NetScaler and Google, and is therefore not available in the client-side track, shown everywhere.

However, the following text is extracted from NetScaler log , marked in red, shows that access token.

9

authorization is granted once the NetScaler obtain this access token from Google.

This includes oAuth approval.

As mentioned before, oAuth is an enabling framework that does not reveal the user's identity.

OpenID Connect, built on oAuth above, is an authentication protocol. As such id_token highlighted above shown in blue, encrypted user identity info contains, returned by Google.

The following protocol shows that the NetScaler makes a second call to Google id_token deciphered and consequently receives user identity information (eg Gmail address).

10 11

This includes OpenID Connect authentication.

Once OpenID Connect has completed creating the NetScaler a session under AAA sends the user AAA cookies (shown in red below, answer part of the transaction 15) and redirects the user to the original requested resource (https: / /oauth2.lab.com/) via an HTTP 302

12

Please note that HTTP is not by itself a stateful protocol and cookies states are used to keep track of ,

The following HTTP requests as long NSC_TMAA and NSC_TMAS cookies are present, and have the correct values, the NetScaler requested resources will be used to bypass authentication.

Unified Gateway

Thus, the user is authenticated at the NetScaler by OpenID Connect, what next?

How can we use an authenticated session and connect it to NetScaler Gateway and finally XenApp?

The hook, requires unified gateway, a NetScaler 11.0 function that binds together AAA and gateway authentication. In other words, with unified gateway, we can use a AAA session in a NG-session, and proceed vice versa.

How does this union work?

presents the case of a low level when AAA Cookies are NG, checked gateway if they are valid AAA cookies, if so, creates a gateway session and are the gateway cookie.

transaction 17, below, that application for '/vpn/index.html' shows intended to Gateway contains the AAA cookies (NSC_TMAA and NSC_TMAS).

after the validation of the two (2) AAA cookies NetScaler creates a gateway session, and then sets the gateway cookie (NSC_AAAC) in his reply.

as a result, as long as the gateway cookie is present in all follow-up questions, no authentication is required.

13

in order to achieve the above-mentioned session transition that " login once 'option provided by Unified Gateway available on the Gateway -vserver must be turned on, as shown below.

14

content switch

So far we have covered how to set oAuth 2.0 / OpenID Connect, a LB VPS and the associated AAA vServer requires;. session migration from AAA to Gateway Unified Gateway to

the question is, we can OpenID Connect and gateway traffic merge so that they make a single IP-sharing.

Fortunately NetScaler 11.0 a new feature enabled in content switch, in addition to a LB vServer to a backend gateway vServer, can be switched traffic.

the following CS configuration shows that Gateway / storefront traffic path is visible URL, switched to the gateway vServer.

traffic not involved Gateway / storefront, is switched to the standard LB vServer, which has the sole purpose of invoking OpenID Connect authentication at the beginning. is

15

'aaa_path', shown below, a predefined pattern is set to the NetScaler, which contains the following items, used to identify assigned all traffic with Gateway. "Citrix" as a URL path identifier is used to switch traffic destined to storefront.

16

Once OpenID Connect is complete, a responder policy required traffic at the gateway to redirect login page, as shown below.

17

, the content switch evaluates the URL (/vpn/index.html) and then sends traffic to the backend gateway vServer match.

the whole process looks like this,

  1. , the user enters https://oauth2.lab.com in browser and traffic meets the CS vServer
  2. traffic calls to the switched-standard back-LB vServer
  3. LB vServer AAA vServer and then passes OpenID Connect authentication
  4. by OpenID Connect accounts in AAA an authenticated session and returns the user AAA cookies to session hold
  5. user is redirected to https://oauth2.lab.com of AAA back, with AAA cookies
  6. traffic meets the CS vServer is, back to the default backend LB vServer connected. The presence of AAA cookies, user authentication is not provided
    7. in question
  7. users will https://oauth2.lab.com/vpn/index.html diverted via a responder policy, linked to the LB vServer
  8. CS VPS receives diverted traffic, it goes into a gateway vServer, based on CS policy.
  9. Gateway VDS provides the AAA cookies, she buys a gateway session and issued the user gateway cookie (NSC_AAAC)

The following screenshot shows the user to acknowledge Gmail address, has found two sessions on the NetScaler, one for AAA (TM) and the other for Gateway (VPN). 18

storefront and Kerberos Constraint Delegation

Once the user logged into the gateway, storefront kicks.

, the question is how we SSO the user to storefront, XA Delivery Controller and Session hosts without AD credentials.

For password less SSO, we need to use storefront smart card authentication, Protocol Transition and Kerberos Constraint Delegation (KCD) which is supported since Storefront 2.6.

but KCD is only supported XenApp 6.5.

Smart card authentication allows Storefront authentication to accept without a password.

Protocol Transition authenticate earlier OpenID Connect to Kerberos for XenApp environment enables the transition.

Constraint Delegation, a secure extension unconstraint delegation in Windows Server 03 introduced, allows the administrator to accurately on a downstream server to specify the services (eg Session Host / XML broker) can be accessed when a impersonated security context of the user is used.

Below we show a selection and specific configuration items that storefront must be configured correctly. Noncritical settings are omitted for brevity.

"Authentication" safe Within storefront console "smart card" do and "pass-through of NetScaler Gateway 'are activated.

[1945030[

in" pass-through of NetScaler Gateway 'authentication method, check the following.

20

in the 'Delivery Controller manage ", make sure that the host part of the Service Principal Name for the XML broker specified. It is usually the FQDN or hostname within the domain registered. an IP address will specify result in a failure, a Kerberos service ticket to obtain.

21

the following is safely activated

22

in the 'receiver for Web', make sure that the supporters are activated for the newly created website

23

Add user or a group that OpenID Connect authentication C using :. Program Files Citrix receiver storefront Services Protocol transition service AccessList.txt, have 'read' and 'Read and execute "access. be added simplicity 'domain user.

24

for Kerberos delegation, please Dimitrios Samorgiannidis "rock solid Blog published in / blogs / 05.03.2012 / follow troubleshooting- smart card-sso-with Access Gateway Enterprise Edition part 2 /. Kerberos protocol is notoriously complex to understand and debug, provided Dimitrios' blog available much needed information in detail.

in a nutshell, as Dimitrios . mentioned 'blog

storefront should delegate:

  • HTTP service on all XML Broker (could be for some designs)

XML Broker should delegate

  • CIFS & LDAP (any domain controller)
  • HOST (all XenApp servers in the same farm)
  • HOST to yourself
  • HTTP to yourself

XenApp should delegate:

  • CIFS & LDAP ( any domain controller)
  • HOST
  • HTTP service associate to itself
    • all XML Broker

account

The next question is, since Google ID and AD user names are completely separated, as we combine Google ID an AD user?

In AD, there is an LDAP attribute, user principal name (UPN). A UPN may be implicitly or explicitly defined. An implicit UPN is of the form username @ domain. An explicit UPN is the @ suffix form name, with name and suffix can be any value. Both UPN, although defined differently, link to the same user.

The following screenshot shows that Google ID AD users 'chris' connected.

25

the following screenshot shows that Kerberos uses the Gmail address as the main, if requesting a service ticket.

26

in the following is shown that once the user is logged in, the user is identified as AD users 'chris'.

27

that's it!

In summary, we have with OpenID Connect authentication Unified Gateway supports content switching and configuration storefront and Kerberos Constraint Delegation.

Hope you have enjoyed the ride!

Next
« Prev Post
Previous
Next Post »
0 Komentar

Subscribe to: Post Comments (Atom)