The guide provides the steps to configure Storefront SAML with Azure AD.

---

Instructions

Pre-reqs:

1. Azure account has to be a global administrator.
2. StoreFront needs to be configured with HTTPS.
3. Azure AD Sync must be in place
4. Full single sign-on to the VDA requires FAS
   1. Be mindful of the following KB if you have sign in in error “Request is not supported”: https://support.citrix.com/article/CTX218941

1. Open a Remote Desktop Session to the storefront server.
2. Open the StoreFront Management Console.
3. On the StoreFront Management Console, select Manage Authentication Methods.


4. On the Manage Authentication Methods window, select SAML Authentication.


5. Open Windows PowerShell ISE as Administrator in storefront server.
6. Run the following code in Windows PowerShell ISE.
Note: Remember to change the value of the $storeVirtualPath variable to reflect the name of your actual store.

$storeVirtualPath = "/Citrix/Saml"
$auth = Get-STFAuthenticationService -Store (Get-STFStoreService -VirtualPath $storeVirtualPath)
$spId = $auth.AuthenticationSettings["samlForms"].SamlSettings.ServiceProvider.Uri.AbsoluteUri
$acs = New-Object System.Uri $auth.Routing.HostbaseUrl, ($auth.VirtualPath + "/SamlForms/AssertionConsumerService")
$md = New-Object System.Uri $auth.Routing.HostbaseUrl, ($auth.VirtualPath + "/SamlForms/ServiceProvider/Metadata")
$samlTest = New-Object System.Uri $auth.Routing.HostbaseUrl, ($auth.VirtualPath + "/SamlTest")
Write-Host "SAML Service Provider information:
Service Provider ID: $spId
Assertion Consumer Service: $acs
Metadata: $md
Test Page: $samlTest"

7. This command will output the SAML Service Provider Information.


Create the Application in Azure

8. On your web browser, navigate to portal.azure.com.
9. Log in with your Microsoft Azure credentials.
10. Open Azure Active Directory.
11. On the Azure Active Directory blade, select Enterprise Applications.
12. On the Enterprise Applications blade, select New Application.
13. On the Add an application blade, select Non-gallery application.
14. On the Add your own application blade, enter a name for the application and click Add.


15. After the application is crated, on the new application blade, under Manage select Users and Groups.


16. On the Users and Groups blade, select Add user.
17. On the Add Assignment blade, select Users and Groups.
18. On the Users and groups blade, select the AD Users or Groups to which you want to provide access.
19. Click Select.
20. On the Add Assignment blade select Assign.
21. Back on the application blade, under Manage select Single Sign-On.


22. On the Single Sign-On blade, under Single Sign-on Mode, select SAML-based Sign-on.

23. Under step 2 Domain and URL's, enter the following information.
          a. Identifier (Entity ID): Service Provider ID from step 7.
          b. Reply URL: Assertion Consumer Service from step 7.


24. On step 3 User Attributes, make sure user.userprincipalname is selected as the User Identifier.


25.  On step 4 SAML Signing Certificate, click on Metadata XML.


26.  Click Save on the top of the blade.
Note: This will download an XML file to your computer.
27. Place the Metadata XML file on a directory on your StoreFront Server.

28. Open Windows PowerShell ISE as Administrator one more time.
29. Run the attached code in Windows PowerShell ISE. 
Note: Remember to change the value of the $storeVirtualPath variable to reflect the name of your actual store, and the value of the –FilePath parameter to reflect the actual path of the file in your computer.

Get-Module "Citrix.StoreFront*" -ListAvailable | Import-Module
$StoreVirtualPath = "/Citrix/Saml"
$store = Get-STFStoreService -VirtualPath $StoreVirtualPath
$auth = Get-STFAuthenticationService -StoreService $store
Update-STFSamlIdPFromMetadata -AuthenticationService $auth -FilePath "C:\FedMet\StoreFront.xml"