XenApp and XenDesktop

Federated Authentication Service ADFS deployment

June 16, 2021

Contributed by:

C A

Introduction

This document describes how to integrate a Citrix environment with Microsoft ADFS.

Many organizations use ADFS to manage secure user access to web sites that require a single point of authentication. For example, a company may have additional content and downloads that are available to employees; those locations need to be protected with standard Windows logon credentials.

The Federated Authentication Service (FAS) also allows Citrix NetScaler and Citrix StoreFront to be integrated with the ADFS logon system, reducing potential confusion for the company’s staff.

This deployment integrates NetScaler as a relying party to Microsoft ADFS.

localized image

SAML overview

Security Assertion Markup Language (SAML) is a simple “redirect to a logon page” web browser logon system. Configuration includes the following items:

Redirect URL [Single Sign-on Service Url]

When NetScaler discovers that a user needs to be authenticated, it instructs the user’s web browser to do a HTTP POST to a SAML logon webpage on the ADFS server. This is usually an https:// address of the form: https://adfs.mycompany.com/adfs/ls.

This web page POST includes other information, including the “return address” where ADFS will return the user when logon is complete.

Identifier [Issuer Name/EntityID]

The EntityId is a unique identifier that NetScaler includes in its POST data to ADFS. This informs ADFS which service the user is trying to log on to, and to apply different authentication policies as appropriate. If issued, the SAML authentication XML will only be suitable for logging on to the service identified by the EntityId.

Usually, the EntityID is the URL of the NetScaler server logon page, but it can generally be anything, as long as NetScaler and ADFS agree on it: https://ns.mycompany.com/application/logonpage.

Return address [Reply URL]

If authentication is successful, ADFS instructs the user’s web browser to POST a SAML authentication XML back to one of the Reply URLs that are configured for the EntityId. This is usually an https:// address on the original NetScaler server in the form: https://ns.mycompany.com/cgi/samlauth.

If there is more than one Reply URL address configured, NetScaler can choose one in its original POST to ADFS.

Signing certificate [IDP Certificate]

ADFS cryptographically signs SAML authentication XML blobs using its private key. To validate this signature, NetScaler must be configured to check these signatures using the public key included in a certificate file. The certificate file will usually be a text file obtained from the ADFS server.

Single sign-out Url [Single Logout URL]

ADFS and NetScaler support a “central logout” system. This is a URL that NetScaler polls occasionally to check that the SAML authentication XML blob still represents a currently logged-on session.

This is an optional feature that does not need to be configured. It is usually an https:// address in the form https://adfs.mycompany.com/adfs/logout. (Note that it can be the same as the Single Logon URL.)

Configuration

The NetScaler Gateway deployment section in the Federated Authentication Services architectures article describes how to set up NetScaler Gateway to handle standard LDAP authentication options, using the XenApp and XenDesktop NetScaler setup wizard. After that completes successfully, you can create a new authentication policy on NetScaler that allows SAML authentication. This can then replace the default LDAP policy used by the NetScaler setup wizard.

localized image

Fill in the SAML policy

Configure the new SAML IdP server using information taken from the ADFS management console earlier. When this policy is applied, NetScaler redirects the user to ADFS for logon, and accepts an ADFS-signed SAML authentication token in return.

localized image

The Federated Authentication Service article is the primary reference for FAS installation and configuration.
The common FAS deployments are summarized in the Federated Authentication Service architectures overview article.
“How-to” articles are introduced in the Federated Authentication Service configuration and management article.

The official version of this content is in English. Some of the Cloud Software Group documentation content is machine translated for your convenience only. Cloud Software Group has no control over machine-translated content, which may contain errors, inaccuracies or unsuitable language. No warranty of any kind, either expressed or implied, is made as to the accuracy, reliability, suitability, or correctness of any translations made from the English original into any other language, or that your Cloud Software Group product or service conforms to any machine translated content, and any warranty provided under the applicable end user license agreement or terms of service, or any other agreement with Cloud Software Group, that the product or service conforms with any documentation shall not apply to the extent that such documentation has been machine translated. Cloud Software Group will not be held responsible for any damage or issues that may arise from using machine-translated content.

Was this helpful

Federated Authentication Service ADFS deployment

June 16, 2021

Contributed by:

C A

June 16, 2021

Contributed by:

C A

Federated Authentication Service ADFS deployment

Introduction

SAML overview

Redirect URL [Single Sign-on Service Url]

Identifier [Issuer Name/EntityID]

Return address [Reply URL]

Signing certificate [IDP Certificate]

Single sign-out Url [Single Logout URL]

Configuration

Fill in the SAML policy

Related information

In this article