To configure SAML Authentication with StoreFront you can use the metadata support option. This article describes the steps to perform the metadata based configuration.
 

---

Instructions

Enable the Federated Authentication Service plug-in on a StoreFront store
To enable Federated Authentication Service integration on a StoreFront Store, run the following PowerShell cmdlets as an Administrator account on the StoreFront server. If you have more than one store, or if the store has a different name, the path text highlighted below may differ.

1. Set-ExecutionPolicy Bypass
2. Get-Module "Citrix.StoreFront.*" -ListAvailable | Import-Module

• $StoreVirtualPath = "/Citrix/Store"
• $store = Get-STFStoreService -VirtualPath $StoreVirtualPath
• $auth = Get-STFAuthenticationService -StoreService $store

3. Set-STFClaimsFactoryNames -AuthenticationService $auth -ClaimsFactoryName "FASClaimsFactory"
4. Set-STFStoreLaunchOptions -StoreService $store -VdaLogonDataProvider "FASLogonDataProvider"
5. In addition, make sure to enable XML Trust on the Delivery Controller(s)
6. Add-PSSnapin Citrix.Broker.Admin.V2
7. Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $true
8. Now that you have configured the FAS plug-in on the StoreFront server and enabled XML Trust.

Configuration using MetaData support:

1. On the StoreFront server, close the StoreFront Management console, open a PowerShell prompt running as administrator, then type the following:

2. Update-STFSamlIdPFromMetadata -AuthenticationService $auth -Url https://<adfs-dns-host-entry>/FederationMetadata/2007-06/FederationMetadata.xml. Note: Be sure to remember to change the $StoreVirtualPath variable with the correct name for your store
3. The <adfs-dns-host-entry> is the ADFS service name. See the Manual Authentication document to find out how to locate the service name.

Create a Relying Party Trust in ADFS: 

1. From the AD FS Console, select Relying Party Trusts and in the actions pane select Add Relying Party Trust

2. On the initial page, click Start to begin
3. Select Import data about the relying party published online or on a local network and type the StoreFront metadata endpoint. See format below:

4. Select: Next

5. On the next screen, you can leave the default name and click Next

6. Select Next at the Configure Multi-factor page

 

7. Click Next at he Choose Issuance page

 

8. This is an informational page, Click Next to continue

9. On the Finish screen, make sure that the Open the Edit Claim checkbox is checked and hit Close

 

10. Next we need to add a Claims Rule. Make sure to select the Issuance Transform Rules and click on Add Rule

11. Select Send LDAP Attributes as Claims and hit Next

12. Enter the following information to configure the rule

• Claim rule name: UPN to Name ID
• Attribute store: Active Directory
• LDAP Attribute: User-Principal-Name
• Outgoing Claim Type: Name ID

13. Fill in the data as shown above, to return the user principal as the SAML Name ID. Other attributes can be added if required, but the UPN to Name ID mapping must be present. Select Finish. Note: If the attribute store does not automatically populate, close the dialog box and select Add Rule again

14. Click OK to close the dialog box