How to Configure SAML- Introduction?
book
Article ID: CTX220632
calendar_today
Updated On:
Description
SAML is an XML-based open standard which enables authentication of users across products or organizations. SAML is used by identity providers such as Google and by identity and authentication products such as Microsoft AD FS, Ping Identity, CA SiteMinder and more.
Citrix customers wish to use SAML-based products and services to authenticate users to XenApp and XenDesktop sessions.
The configuration on this document is performed using ADFS on Windows 2012 R2 as the Identity Provider (IdP)
Instructions
Identity Providers Supported:Although the feature should work correctly with any SAML 2.0-compliant IdP, the following IdPs will be officially supported and tested:
- Microsoft ADFS v4.0 (Windows Server 2016) using SAML bindings only (not WS-Federation bindings)
- Microsoft ADFS v3.0 (Windows Server 2012 R2)
- Microsoft ADFS v2.0 (Windows Server 2008 R2)
- NetScaler Gateway (configured as an IdP )
Citrix Components:
- XenApp / XenDesktop 7.9 or newer
- Federated Authentication Service (FAS)
- StoreFront 3.9 or newer
- Citrix Receiver for Windows (4.6 and higher)
- Citrix Receiver for Web Sites
- Important: SAML authentication with Non-Domain joined StoreFront servers is not supported.
Upgrades from previous StoreFront versions:
- If upgrading from a previous version of StoreFront, the SAML authentication option may not be available in the console after the upgrade is completed. To add, click the Advanced button and select Install or uninstall authentication methods

- Click the checkbox under status and click OK to add the SAML authentication method.
Prerequisites:
- Identity Provider - Before you begin, verify the idP (Identity Provider) being used is configured and working properly, and able to generate the SAML tokens.
- XenApp/XenDesktop -Make sure you have installed and configured your XenApp/XenDesktop environment, and are able to login and launch applications using User Name and Password authentication. To view XenApp/XenDesktop installation documentation click HERE.
- Federated Authentication Service - You also need to have installed and configured the Citrix Federated Authentication Service (FAS) server. For information about the FAS server and installation and configuration instructions, click HERE. (FAS is required to give single sign on experience when launching application, if the SSO during application launch is not required then FAS configuration is not required with SAML)
- SAML Signing Certificate - Create a certificate that will be used to sign the SAML tokens. The certificate must be in x.509 format.
Issue/Introduction
Identity Providers Supported, Citrix Components, Upgrades from previous StoreFront versions and Prerequisites
Additional Information
To configure NetScaler as an idP, see the NetScaler documentation located
here.
Was this article helpful?
thumb_up
Yes
thumb_down
No