Implementing Storefront SAML with Entra ID

book

Article ID: CTX237490

calendar_today

Updated On:

Description

 

Instructions

Pre-reqs:

  1. Azure account has to be a global administrator.
  2. StoreFront needs to be configured with HTTPS.
  3. Azure AD Sync must be in place
  4. Full single sign-on to the VDA requires FAS
    1. Be mindful of the following KB if you have sign in in error “Request is not supported”: https://support.citrix.com/article/CTX218941


1. Open a Remote Desktop Session to the storefront server.
2. Open the StoreFront Management Console.
3. On the StoreFront Management Console, select Manage Authentication Methods.
image.png

4. On the Manage Authentication Methods window, select SAML Authentication.
image.png

5. Open Windows PowerShell ISE as Administrator in storefront server.
6. Run the following code in Windows PowerShell ISE.
Note: Remember to change the value of the $storeVirtualPath variable to reflect the name of your actual store.

$storeVirtualPath = "/Citrix/Saml"
$auth = Get-STFAuthenticationService -Store (Get-STFStoreService -VirtualPath $storeVirtualPath)
$spId = $auth.AuthenticationSettings["samlForms"].SamlSettings.ServiceProvider.Uri.AbsoluteUri
$acs = New-Object System.Uri $auth.Routing.HostbaseUrl, ($auth.VirtualPath + "/SamlForms/AssertionConsumerService")
$md = New-Object System.Uri $auth.Routing.HostbaseUrl, ($auth.VirtualPath + "/SamlForms/ServiceProvider/Metadata")
$samlTest = New-Object System.Uri $auth.Routing.HostbaseUrl, ($auth.VirtualPath + "/SamlTest")
Write-Host "SAML Service Provider information:
Service Provider ID: $spId
Assertion Consumer Service: $acs
Metadata: $md
Test Page: $samlTest"

7. This command will output the SAML Service Provider Information.
image.png

Create the Application in Azure

8. On your web browser, navigate to portal.azure.com.
9. Log in with your Microsoft Azure credentials.
10. Open Azure Active Directory.
11. On the Azure Active Directory blade, select Enterprise Applications.
12. On the Enterprise Applications blade, select New Application.
13. On the Add an application blade, select Non-gallery application.
14. On the Add your own application blade, enter a name for the application and click Add.
image.png

15. After the application is crated, on the new application blade, under Manage select Users and Groups.
image.png

16. On the Users and Groups blade, select Add user.
17. On the Add Assignment blade, select Users and Groups.
18. On the Users and groups blade, select the AD Users or Groups to which you want to provide access.
19. Click Select.
20. On the Add Assignment blade select Assign.
21. Back on the application blade, under Manage select Single Sign-On.
image.png

22. On the Single Sign-On blade, under Single Sign-on Mode, select SAML-based Sign-on.
image.png
23. Under step 2 Domain and URL's, enter the following information.
          a. Identifier (Entity ID): Service Provider ID from step 7.
          b. Reply URL: Assertion Consumer Service from step 7.
image.png

24. On step 3 User Attributes, make sure user.userprincipalname is selected as the User Identifier.
image.png

25.  On step 4 SAML Signing Certificate, click on Metadata XML.
image.png

26.  Click Save on the top of the blade.
Note: This will download an XML file to your computer.
27. Place the Metadata XML file on a directory on your StoreFront Server.
image.png
28. Open Windows PowerShell ISE as Administrator one more time.
29. Run the attached code in Windows PowerShell ISE. 
Note: Remember to change the value of the $storeVirtualPath variable to reflect the name of your actual store, and the value of the –FilePath parameter to reflect the actual path of the file in your computer.

Get-Module "Citrix.StoreFront*" -ListAvailable | Import-Module
$StoreVirtualPath = "/Citrix/Saml"
$store = Get-STFStoreService -VirtualPath $StoreVirtualPath
$auth = Get-STFAuthenticationService -StoreService $store
Update-STFSamlIdPFromMetadata -AuthenticationService $auth -FilePath "C:\FedMet\StoreFront.xml"

30. If using StoreFront 2603 or earlier, users may get an error HTTP Error 404.15 - Not Found. This occurs when the query string is too long and is blocked by IIS request filtering. By default IIS sets a query string limit of 2048 and a total URL length of 4096. To work around this, increase the maximum URL and query string lengths.

a. Open Internet Information Services (IIS) Manager.

b. In the Connections pane, expand the server select the authentication virtual directory.

c. From the main pane, open Request Filtering.

image.png

d. In the Actions pane, click Edit Feature Settings…

e. Increase the Maximum URL length (Bytes) to 8192 and Maximum query string (Bytes) to 4096.

image.png

Issue/Introduction

The guide provides the steps to configure Storefront to use SAML with Entra ID for authentication, without a NetScaler gateway.

Powered by Wolken Software