These days, when you make applications and services available from external locations, security is always (or should be) top-of-mind for IT admins. What they need to make sure of is that no one from an external location can easily break into their applications.
To achieve front-end security, one of the practices we normally carry out is to protect systems with multi-factor authentication. This gives any potential hacker an incredibly tough time, even if they managed to guess or brute force a user’s insecure password.
That said, how many companies protect Office 365 only with single-factor authentication? I am going to bet an extremely large sect of the customer base. Why? Some organisations have multi-factor authentication for NetScaler, but only single-factor authentication for Office 365. That is like placing a NetScaler on the internet with LDAP authentication; it’s frowned upon. For some reason, however, Office 365 seems exempt from the same. If someone manages to break into an Office 365 Global Administrator account that is protected only with single-factor authentication, then you are in big trouble. What happens when a confidential mailbox — something with customers’ personal and sensitive company information — is breached?
All it takes is for one unsecure computer to be key-logged, and the unsuspecting end-user from their home computer logs on to Office 365 to read their emails before bed (I know, we all do it right?). Little do they know they have just handed over the keys to the hacker whilst they are at it. Even a simple phishing attack is enough to compromise mailboxes that are protected with single-factor.
It's time to rethink your authentication strategy and learn how NetScaler can not just help but go beyonf your expectations.
The SAML authentication protocol has been around for over 10 years. It has also been one of those abbreviations referenced at many Citrix Synergy sessions in the past year or two. But for those of you who don’t know, what is SAML?
SAML (Security Assertion Markup Language) provides a way for one federation (an Identity Provider) to authenticate with another separate federation (a Service Provider) typically to consume available services. Rather than send passwords over the internet to authenticate with external SaaS applications, SAML is a more secure way to authenticate. Think of one Active Directory farm wanting to authenticate and consume services from another Active Directory farm, without the trust.
As one of many SaaS providers available today, Office 365 is claimed to beMicrosoft’s fastest growing business ever. I’ll stake my wager now that more people who read this post consume Office 365 services than not.
With Office 365 offering services to us all, we can class Office 365 as the Service Provider as, well, it provides the service. Office 365 supports SAML, and so does NetScaler. This means that with Office 365 as the Service Provider, we can configure NetScaler to be the Identity Provider. That is to say, NetScaler provides the authentication offering that Office 365 accepts before providing Outlook access, or SharePoint access, OneDrive, and so on.
Since NetScaler is now the Identity Provider, we open a whole stack of different ways users can authenticate to NetScaler and, in turn, Office 365. To name a few, NetScaler supports traditional LDAP, Certificates, RADIUS, WebAuth, Negotiate, and more. To understand the flow of authentication when NetScaler is in the mix, I’ve documented the steps at a high level:
- Joe browses to https://login.microsoftonline.com and enters his email address
- Office 365 detects the specified realm and redirects user to NetScaler AAA
- NetScaler is normally connected to Active Directory, but supports a number of different authentication protocols and, as such, can challenge the user for a range of authentication methods
- If Joe can successfully authenticate with NetScaler, the NetScaler sends a SAML assertion (token) to Office 365
- Because Office 365 is configured to trust the NetScaler IdP, the token is accepted
- The attributes are extracted from the SAML assertion to identify Joe, and Joe is granted access to Office 365
Here are some of the scenarios you can support with NetScaler acting as the authentication enforcer for Office 365:
- User Certificate authentication, followed by LDAP password. If successful, authentication to Office 365 is granted.
- LDAP authentication followed by Azure Multi-Factor authentication (Microsoft Authenticator phone prompt). If successful, authentication to Office 365 is granted.
- LDAP authentication followed by Google one-time password. If successful, authentication to Office 365 is granted.
- Negotiate authentication for internal clients who can reach a KDC (Key Distribution Center). If successful, authentication to Office 365 is granted. No password is entered as Integrated Windows Authentication is used for true single sign-on.
- Certificate authentication only. Optionally no password has to be entered. If successful, authentication to Office 365 is granted.
- Username only followed by two one-time password prompts. If successful, authentication to Office 365 is granted.
So what do you need? An Office 365 subscription, of course, and you need to be eligible to use the AAA (Authentication, Authorization and Auditing) feature, which requires, at a minimum, NetScaler Enterprise licensing. You’ll also need any required subscriptions for external authentication solutions. The good news is there are no further “gotchas” so you don’t need NetScaler Platinum licenses to achieve any of the authentication scenarios I described above.
So how do you configure it?
Continue to read here
If you want to know more about it, please access full details here: Citrix Blog