How to configure SAML Authentication on Storefront with ADFS

book

Article ID: CTX220638

calendar_today

Updated On:

Description

This document provides the steps to follow for manually configuring the SAML authentication with Storefront feature.

Instructions

Enable the Federated Authentication Service plug-in on a StoreFront store:

To enable Federated Authentication Service integration on a StoreFront Store, run the following PowerShell cmdlets as an Administrator account on the StoreFront server. If you have more than one store, or if the store has a different name, the path text highlighted below may differ.
Set-ExecutionPolicy Bypass

Get-Module "Citrix.StoreFront.*" -ListAvailable | Import-Module
$StoreVirtualPath = "/Citrix/Store"
$store = Get-STFStoreService -VirtualPath $StoreVirtualPath
$auth = Get-STFAuthenticationService -StoreService $store

Set-STFClaimsFactoryNames -AuthenticationService $auth -ClaimsFactoryName "FASClaimsFactory"
Set-STFStoreLaunchOptions -StoreService $store -VdaLogonDataProvider "FASLogonDataProvider"
In addition, make sure to enable XML Trust on the Delivery Controller(s)
Add-PSSnapin Citrix.Broker.Admin.V2
Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $true
Now that you have configured the FAS plug-in on the StoreFront server and enabled XML Trust:
Open The StoreFront Management console, select the store you want to configure and choose Manage Authentication Methods

Click the checkbox for SAML to enable the authentication method. (See upgrade section in Introduction and Requirements document if SAML authentication method is not displayed). Click on the down arrow and select Identity Provider.

Identity Provider Options:

SAML Binding – Options Post or Redirect - Select Post
Address – The address to the Identity Provider. See note below for additional information about this field
Signing Certificates – Import the certificate used to sign the SAML tokens. See note below for additional information about this field

Note – Address field: This is not necessarily the FQDN of the ADFS server. It is the name of the service. To verify the service name in ADFS, open the AD FS console, select Service, and click on Edit Federation Service

It should match the Federation Service Name.

Note - Signing Certificate: The signing certificate can be retrieved from the ADFS server. Open the AD FS Console, Select Certificates, right click on the Token-signing certificate and choose View Certificate. Once the certificate is open you can select Copy to File from the Details tab to export the certificate. Once exported, you can copy to the Storefront server and import.

Next, Select Service Provider Option.

Service Provider Identifier – The Storefront store that is using SAML. To configure the store name add Auth to the store name. Example:
Store name: https://sfserver.domain.com /Citrix/local
Service Provider Identifier: https://sfserver.domain.com /Citrix/localAuth

Create a Relying Party Trust in ADFS :

From the AD FS Console, select Relying Party Trust and in the actions pane select Add Relying Party Trust

At the initial screen hit Start
At the Data Source screen select Enter Data about the relying party manually and click Next

Enter a Display Name and hit Next
At the Chose Profile Screen select AD FS profile

Click Next

In the Configure URL screen Select Enable support for SAML 2.0 WebSSO protocol. Under the relying party SAML URL enter the StoreFront address with Auth added at the end. See screenshot below

In the Configure Identifiers screen, enter the StoreFront base URL and click Add

On the multi-factor authentication screen click Next
On the Choose Issuance Authorization Rules screen, select Permit all users access to relying party and click Next
On the Ready to Add Trust Screen hit Next
On the Finish screen, make sure that the Open the Edit Claim checkbox is checked and hit Close