These days, when you make applications and services available from external locations, security is always (or should be) top-of-mind for IT admins. What they need to make sure of is that no one from an external location can easily break into their applications.
To achieve front-end security, one of the practices we normally carry out is to protect systems with multi-factor authentication. This gives any potential hacker an incredibly tough time, even if they managed to guess or brute force a user’s insecure password.
That said, how many companies protect Office 365 only with single-factor authentication? I am going to bet an extremely large sect of the customer base. Why? Some organisations have multi-factor authentication for NetScaler, but only single-factor authentication for Office 365. That is like placing a NetScaler on the internet with LDAP authentication; it’s frowned upon. For some reason, however, Office 365 seems exempt from the same. If someone manages to break into an Office 365 Global Administrator account that is protected only with single-factor authentication, then you are in big trouble. What happens when a confidential mailbox — something with customers’ personal and sensitive company information — is breached?
All it takes is for one unsecure computer to be key-logged, and the unsuspecting end-user from their home computer logs on to Office 365 to read their emails before bed (I know, we all do it right?). Little do they know they have just handed over the keys to the hacker whilst they are at it. Even a simple phishing attack is enough to compromise mailboxes that are protected with single-factor.
It's time to rethink your authentication strategy and learn how NetScaler can not just help but go beyonf your expectations.
The SAML authentication protocol has been around for over 10 years. It has also been one of those abbreviations referenced at many Citrix Synergy sessions in the past year or two. But for those of you who don’t know, what is SAML?
SAML (Security Assertion Markup Language) provides a way for one federation (an Identity Provider) to authenticate with another separate federation (a Service Provider) typically to consume available services. Rather than send passwords over the internet to authenticate with external SaaS applications, SAML is a more secure way to authenticate. Think of one Active Directory farm wanting to authenticate and consume services from another Active Directory farm, without the trust.
As one of many SaaS providers available today, Office 365 is claimed to beMicrosoft’s fastest growing business ever. I’ll stake my wager now that more people who read this post consume Office 365 services than not.
With Office 365 offering services to us all, we can class Office 365 as the Service Provider as, well, it provides the service. Office 365 supports SAML, and so does NetScaler. This means that with Office 365 as the Service Provider, we can configure NetScaler to be the Identity Provider. That is to say, NetScaler provides the authentication offering that Office 365 accepts before providing Outlook access, or SharePoint access, OneDrive, and so on.
Since NetScaler is now the Identity Provider, we open a whole stack of different ways users can authenticate to NetScaler and, in turn, Office 365. To name a few, NetScaler supports traditional LDAP, Certificates, RADIUS, WebAuth, Negotiate, and more. To understand the flow of authentication when NetScaler is in the mix, I’ve documented the steps at a high level:
Here are some of the scenarios you can support with NetScaler acting as the authentication enforcer for Office 365:
So what do you need? An Office 365 subscription, of course, and you need to be eligible to use the AAA (Authentication, Authorization and Auditing) feature, which requires, at a minimum, NetScaler Enterprise licensing. You’ll also need any required subscriptions for external authentication solutions. The good news is there are no further “gotchas” so you don’t need NetScaler Platinum licenses to achieve any of the authentication scenarios I described above.
So how do you configure it?
Continue to read here
If you want to know more about it, please access full details here: Citrix Blog