Citrix Federated Authentication Service (SAML)

Navigation

• Overview
• Install Service and Configure
• NetScaler Gateway Configuration:
  • SAML on NetScaler Gateway 11.1
  • SAML on NetScaler Gateway 11.0
  • StoreFront Config for SAML Gateway

Overview

Citrix Federated Authentication Service enables users to login to NetScaler Gateway and StoreFront using SAML authentication.

Citrix Federated Authentication Service uses Microsoft Certificate Authority to issue certificates on behalf of users. These certificates are used for the StoreFront and Virtual Delivery Agent logon process.

Requirements:

• Microsoft Certificate Authority in Enterprise mode
• XenApp/XenDesktop 7.9
• StoreFront 3.6
• NetScaler Gateway
• Receiver for Web only. Receiver Self-Service doesn’t support web-based authentication.

Install Service and Configure

The service should be installed on a secure, standalone server that does not have any other Citrix components installed.

1. On the Federated Authentication Service server, go to the XenDesktop 7.9 ISO and run AutoSelect.exe.
   
2. On the bottom right, click Federated Authentication Service.
   
3. In the Licensing Agreement page, select I have read, understand, and accept the terms of the license agreement and click Next.
   
4. In the Core Components page, click Next.
   
5. In the Firewall page, click Next.
   
6. In the Summary page, click Install.
   
7. In the Finish Installation page, click Finish.
   
8. On the StoreFront 3.6 server, run the following command:

   & "$Env:PROGRAMFILES\Citrix\Receiver StoreFront\Scripts\ImportModules.ps1"

9. Run the following commands. Adjust the store name as required.

   $StoreVirtualPath = "/Citrix/Store"
   $store = Get-STFStoreService -VirtualPath $StoreVirtualPath
   $auth = Get-STFAuthenticationService -StoreService $store
   Set-STFClaimsFactoryNames -AuthenticationService $auth -ClaimsFactoryName "FASClaimsFactory"
   Set-STFStoreLaunchOptions -StoreService $store -VdaLogonDataProvider "FASLogonDataProvider"

10. If you have multiple StoreFront servers, Propagate Changes.
11. On a Delivery Controller, run the following commands:

    asnp citrix.*
    Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $true
    

12. On the Federated Authentication Service server, browse to C:\Program Files\Citrix\Federated Authentication Service\PolicyDefinitions. Copy the file and folder.
    
13. Go to \\domain.com\SYSVOL\domain.com\Policies\PolicyDefinitions and paste the file and folder. If this path doesn’t exist, then copy them to C:\Windows\PolicyDefinitions.
    
14. Edit a GPO that applies to all StoreFront servers, all Federated Authentication Service servers, and all VDAs.
15. Navigate to Computer Configuration > Policies > Administrative Templates > Citrix Components > Authentication.
16. Edit the setting Federated Authentication Service.
    
17. Enable the setting and click Show.
    
18. Enter the FQDN of the Federated Authentication Service server.
19. Click OK twice.
    
20. On the Federated Authentication Service server, run gpupdate.
    
21. From the Start Menu, run Citrix Federated Authentication Service as administrator. Make sure you run it elevated.
    
22. The Federated Authentication Service FQDN should already be in the list (from group policy). Click OK.
    
23. In Step 1: Deploy certificate templates, click Start.
    
24. Click OK to add certificate templates to Active Directory. Sufficient permission is required.
    
25. In Step 2: Setup Certificate Authority, click Start.
    
26. Select a Certificate Authority to issue the certificates and click Ok.
    
27. In Step 3: Authorize this Service, click Start.
28. Step 3 automatically submits an online request for the Registration Authority certificate to the CA and stores the non-exportable private key in the standard Microsoft Enhanced RSA and AES Cryptographic Provider. Alternatively, you can submit the certificate request manually and store the private key in TPM or HSM as detailed at Federated Authentication Service private key protection at Citrix Docs.
    
29. Select the issuing Certificate Authority and click OK.
    
30. Go to the Certificate Authority Console > Pending Requests. Find the pending request and Issue it.
    
31. In a minute or two, Federated Authentication Service will recognize the issued certificate and Step 3 will turn green. If it doesn’t turn green, then there might be a private hotfix. See David Lloyd at Citrix Discussions. 
    
32. Switch to the User Rules tab.
33. Use the Certificate Authority drop-down to select the issuing Certificate Authority.
34. Use the Certificate Template drop-down to select the Citrix_SmartcardLogon template.
35. Click Edit next to List of StoreFront servers that can use this rule.
    
36. Remove Domain Computers from the top half and instead add your StoreFront servers. You could add an Active Directory security group instead of individual StoreFront servers.
37. On the bottom half, make sure Assert Identity is Allowed. Click OK.
    
38. By default, all users and all VDAs are allowed. You can click the other two Edit boxes to change this.
    
39. When done, click Apply.
    
40. Click OK when Rule updated successfully.
    
41. To further restrict who can be issued certificates, go to your Certificate Authority’s Properties and use the Enrollment Agents tab to restrict enrollment agents.
    
    

NetScaler Gateway Config

SAML on NetScaler Gateway 11.1

If NetScaler 11.0, see SAML on NetScaler Gateway 11.0.

Dennis Radstake SAML authentication for Citrix XenDesktop and XenApp has some ADFS configuration instructions.

1. Export the signing certificate from your SAML iDP. The iDP could be ADFS, Okta, Ping, etc.
   
2. Import the SAML signing certificate (without private key) to NetScaler under Traffic Management > SSL > Certificates > CA Certificates. NetScaler uses this certificate to sign the SAML authentication request.
   
   
3. Import a certificate with private key for SAML assertion verification. You’ll also need to import this certificate (without private key) on your SAML iDP. The SAML iDP will use this certificate to sign the SAML assertions. NetScaler will then use the private key to verify the SAML signatures.
   
4. Go to NetScaler Gateway > Policies > Authentication > SAML.
5. On the right, switch to the Servers tab, and click Add.
   
6. Enter the information for authenticating with SAML. This configuration will vary depending on your SAML iDP.
7. For iDP Certificate Name, select the SAML iDP’s certificate (exported from the SAML iDP) that NetScaler will use to sign SAML authentication requests. The iDP will use its private key to verify the signature.
8. For Redirect URL, enter the URL to the SAML iDP’s authentication page. NetScaler Gateway will redirect users to this URL.
9. For Signing Certificate Name, select the NetScaler certificate (with key) that was imported to the SAML iDP for the Relying Party. NetScaler uses its private key to verify the signature of the assertion that is coming from the iDP.
10. Enter an Issuer Name that the SAML iDP is expecting for the Relying Party.
11. Click More.
    
12. NetScaler defaults to SHA1. You might have to change the Signature Algorithm and Digest Method to SHA256.
13. Review the other settings as needed by your iDP. Click Create when done.
    
14. On the right, switch to the Policies tab, and click Add.
    
15. Give the policy a name, select the SAML Server, and enter ns_true for the expression. Click Create.
    
16. Edit your Session Policy/Profile. On the Published Applications tab, make sure Single Sign-on Domain is not configured.
    
17. Edit your Gateway Virtual Server. Go to the Basic Authentication section, and add a policy.
    
18. Bind the SAML policy. This is the only authentication policy you need. You can remove all other authentication policies.
    
    
19. Next step: configure StoreFront for SAML NetScaler Gateway.

SAML on NetScaler Gateway 11.0

If NetScaler 11.1, see SAML on NetScaler Gateway 11.1.

Dennis Radstake SAML authentication for Citrix XenDesktop and XenApp has some ADFS configuration instructions. 

1. Export the signing certificate from your SAML iDP. The iDP could be ADFS, Okta, Ping, etc.
   
2. Import the SAML signing certificate (without private key) to NetScaler. NetScaler uses this certificate to sign the SAML authentication request.
   
   
3. Import a certificate with private key for SAML assertion verification. You’ll also need to import this certificate (without private key) on your SAML iDP. The SAML iDP will use this certificate to sign the SAML assertions. NetScaler will then use the private key to verify the SAML signatures.
   
4. Go to NetScaler Gateway > Policies > Authentication > SAML > Servers and click Add.
   
5. Enter the information for authenticating with SAML. This configuration will vary depending on your SAML iDP.
6. For iDP Certificate Name, select the SAML iDP’s certificate (exported from the SAML iDP) that NetScaler will use to sign SAML authentication requests. The iDP will use its private key to verify the signature.
7. For Redirect URL, enter the URL to the SAML iDP’s authentication page. NetScaler Gateway will redirect users to this URL.
8. For Signing Certificate Name, select the NetScaler certificate (with key) that was imported to the SAML iDP for the Relying Party. NetScaler uses its private key to verify the signature of the assertion that is coming from the iDP.
9. Enter an Issuer Name that the SAML iDP is expecting for the Relying Party.
10. Click More.
    
11. NetScaler defaults to SHA1. You might have to change the Signature Algorithm and Digest Method to SHA256.
12. Review the other settings as needed by your iDP. Click Create when done.
    
13. On the right, switch to the Policies tab and click Add.
    
14. Give the policy a name, select the SAML Server, and enter ns_true for the expression. Click Create.
    
15. Edit your Session Policy/Profile. On the Published Applications tab, make sure Single Sign-on Domain is not configured.
    
16. Edit your Gateway Virtual Server. Go to the Authentication section and add a policy.
    
17. Bind the SAML policy. This is the only authentication policy you need. You can remove all other authentication policies.
    
18. Next step: configure StoreFront for SAML NetScaler Gateway.

StoreFront Config for SAML Gateway

1. In StoreFront 3.6, right-click the store and click Manage Authentication Methods.
   
2. Make sure Pass-through from NetScaler Gateway is selected.
3. Click the gear icon on the right and click Configure Delegated Authentication.
   
4. Check the box next to Fully delegate credential validation to NetScaler Gateway and click OK.
   
5. In StoreFront, add a NetScaler Gateway object that matches the NetScaler Gateway Virtual Server that has SAML enabled.
   
6. On the Authentication Settings page, make sure you configure a Callback URL. It won’t work without it.
   
7. Then assign (Configure Remote Access Settings) the Gateway to your Store.