Solution Guide ios Managed Configuration Configuring and Delivering Salesforce as a managed application to XenMobile Users with 3 rd Party SAML IDP (Identity Provider) Solution Guide Citrix.com Solutions Guide Configuring and Delivering Salesforce as a managed application to XenMobile Users with 3 rd Party SAML IDP (Identity Provider) 1
Introduction Organizations, large and small, leverage Salesforce.com. With the ever-growing Mobile Workspace access to all your CRM data, existing customizations, and breakthrough productivity tools can now be protected for access from anywhere. With the power of the XenMobile and Salesforce, you can now connect to customers in a whole new way, all from your mobile device. Purpose of this document This document is meant to guide administrators in configuring the below components; Salesforce.com for SAML Single Sign-On (SSO) Salesforce App Config via the XenMobile Console The uses case that will be addressed with in this document are; 1. Salesforce SAML authentication using username and password Citrix.com Solutions Guide Configuring and Delivering Salesforce as a managed application to XenMobile Users with 3 rd Party SAML IDP (Identity Provider) 2
Configure Salesforce SAML 2.0 Setting for Single Sign-On Prerequisites 1. Salesforce.com tenant needs to have Custom Domains enabled (e.g. customerdomain.my.salesforce.com) 2. An Identity Provider that Supports SAML 2.0 SAML 2.0 SSO Configuration 1. Login to Salesforce.com as an administrator 2. From Setup, enter Single Sign-On Settings in the Quick Find box, then select Single Sign-On Settings, and click Edit. 3. Select SAML Enabled. You must enable SAML to view the SAML single sign-on settings. Click Save. 4. In SAML Single Sign-On Settings, click New. 5. Give this setting a Name for reference within your org. Salesforce inserts the corresponding API Name value. 6. Enter the Issuer. Often referred to as the entity ID for the identity provider and will be provided by your IDP. (e.g. https://saml.xenmobiledemo.com/saml/login) 7. Enter the custom domain for the Entity ID. You must share this information with your identity provider. Citrix.com Solutions Guide Configuring and Delivering Salesforce as a managed application to XenMobile Users with 3 rd Party SAML IDP (Identity Provider) 3
8. For the Identity Provider Certificate, use the Choose File button to locate and upload the certificate provided by your Identity Provider. 9. For the Request Signing Certificate, select the certificate you want from the ones saved in your Certificate and Key Management settings. 10. For the Request Signature Method, select the hashing algorithm for encrypted requests, RSA-SHA256. 11. For the SAML Identity Type, select Assertion contains the User s Salesforce username. 12. For the SAML Identity Location, select Identity is in the NameIdentifier element of the Subject statement. 13. For the Service Provider Initiated Request Binding, select HTTP POST. 14. Enter the Identity Provider Login URL, as provided by your Identity Provider 15. Click Save. Common IDP Configuration guides available here; Okta SAML 2.0 Salesforce Configuration Azure AD SAML 2.0 Salesforce Configuration OneLogin SAML 2.0 Salesforce Configuration Centrify SAML 2.0 Salesforce Configuration Citrix.com Solutions Guide Configuring and Delivering Salesforce as a managed application to XenMobile Users with 3 rd Party SAML IDP (Identity Provider) 4
ios Managed Configuration: Salesforce via the XenMobile Console Prerequisites 1. The Salesforce must be an MDM-managed application with in the XenMobile Server. Configure the Salesforce App Config Policy The App Configuration Policy with in the XenMobile server will assign the customers Salesforce environment as well as additional DLP settings. Use the following procedure: 1. In the XenMobile console navigate to Configure > Device Policies and click the Add button. 2. Select App Configuration, name your policy and click Next. 3. We will be only configuring ios, so you can uncheck any other OS options. 4. In the Identifier drop down select the Salesforce App ID (com.salesforce.chatter) and select it. 5. If you do not see it, select Add New, and enter the Salesforce App ID (com.salesforce.chatter) 6. In the Dictionary Content you will need to enter your desired application configurations. There are a number of Configuration options, see the sample below; a. For User Name and Password Based Authentication <dict> <key>requirecertauth</key><false></false> <key>clearclipboardonbackground</key><true></true> <key>appservicehosts</key><string>customerdomain.my.salesforce.com</string> <key>appservicehostlabels</key><string>customersalesforcelabel</string> <key>onlyshowauthorizedhosts</key><true></true> </dict> 7. Click Next. 8. Assign the policy to the desired Delivery Group and Click Save. Citrix.com Solutions Guide Configuring and Delivering Salesforce as a managed application to XenMobile Users with 3 rd Party SAML IDP (Identity Provider) 5
Salesforce App Configuration Key Definitions Key Description Key-Value Pair RequireCertAuth AppServiceHosts If true, the certificate-based authentication flow initiates. ios: Redirects the user to Safari for all authentication requests. Login hosts. First value in the array is the default host. false customerdomain.my.salesforce.com AppServiceHostLabels Labels for the hosts CustomerSalesforceLabel OnlyShowAuthorizedHosts If true, prevents users from modifying the list of hosts that Salesforce can connect to. true ClearClipboardOnBackground If true, the contents of the ios clipboard are cleared when the mobile app is backgrounded. This prevents the user from accidentally copying and pasting sensitive data outside of the application. true https://resources.docs.salesforce.com/208/latest/en-us/sfdc/pdf/salesforce1_mobile_security.pdf App Tunnel (per-app VPN) o o With the ios per app-vpn feature, you can leverage the VPN profile in conjunction with the Citrix VPN app on a XenMobile-managed ios device. There, you can establish an on-demand VPN tunnel to the enterprise network for a desired set of applications installed on the device. Per App VPN with XenMobile and Citrix VPN Blog Conclusion With the power of the XenMobile and Salesforce, you can now connect to customers in a whole new way, all from your mobile device. Citrix.com Solutions Guide Configuring and Delivering Salesforce as a managed application to XenMobile Users with 3 rd Party SAML IDP (Identity Provider) 6
About the Authors and Contributors Frank Srp is a Senior Technical Marketing Manager specialized on Mobility, Citrix. Sujit Narayanan is a Principal Product Manager, Citrix. A special thanks to the reviewers of this Solutions Brief: Matthew Brooks Amandeep Nagra Tarkan Kocoglu Enterprise Sales North America 800-424-8749 Worldwide +1 408-790-8000 Locations Corporate Headquarters 851 Cypress Creek Road Fort Lauderdale, FL 33309, United States Silicon Valley 4988 Great America Parkway Santa Clara, CA 95054, United States 2017 Citrix Systems, Inc. All rights reserved. Citrix, the Citrix logo, and other marks appearing herein are property of Citrix Systems, Inc. and/or one or more of its subsidiaries, and may be registered with the U.S. Patent and Trademark Office and in other countries. All other marks are the property of their respective owner(s). Citrix.com Solutions Guide Configuring and Delivering Salesforce as a managed application to XenMobile Users with 3 rd Party SAML IDP (Identity Provider) 7