How to configure SAML Authentication on Storefront with ADFS

book

Article ID: CTX220638

calendar_today

Updated On:

Description

Introduction

By default when you create a store within StoreFront, Username and password authentication is enabled. Users manually enter their credential and StoreFront uses native integration with Windows Active Directory to validate the credentials.

As an alterntaive, if you have deployed Active Directory Federation Services (AD FS) then you can configure StoreFront to delegate authentication to AD FS via SAML. This allows you to take advantage of benefits such as Single sign-on (SSO) across all apps using AD FS and the ability to configure multi-factor authentication (MFA). For more information on AD FS, see Microsoft documentation.

This article describes the steps you need to complete to configure a StoreFront to use AD FS for authentication.

Note that this applies only when users authenticate directly to StoreFront. If your users authenticate via a NetScaler gateway then you must instead configure the gateway. For more information, see CTX133919.

Pre-requisites

  • An Active Directory Federation services deployment.
  • A deployment of any supported version of Citrix StoreFront.
  • The StoreFront server must be joined to the same domain, or a domain with a trust relationship to, the users you wish to authenticate.
  • When using SAML authentication, StoreFront does not have access to the credentials, so is unable to pass them through to the VDA for single sign-on. Therefore to achieve SSO, you must deploy Federated Authentication Service

Instructions

Enable Single Sign-on to VDAs using Federated Authentication Service

To enable single sign-on VDAs, enable FAS on the Store. For more information, see Federated Authentication Service Configuration.
 

Enable XML trust

When using SAML authentication, StoreFront does not have access to the credentials, so is unable to pass them through to the delivery controller. Therefore you must configure CVAD or DaaS in studio to enable trust the StoreFront server by enabling XML trust. For more information, see Citrix DaaS documentation or Citrix Virtual Apps and Desktops documentation.
 

Configure SAML authentication

For more information on configuring a store for SAML authentication, see StoreFront documentation.

  1. Open The StoreFront Management console, select the store you want to configure and choose Manage Authentication Methods
  1. Click the checkbox for SAML to enable the authentication method. Click on the down arrow and select Identity Provider.

Identity Provider Options:
  • SAML Binding – Options Post or Redirect  - Select Post
  • Address – The address to the Identity Provider.  See note below for additional information about this field
  • Signing Certificates – Import the certificate used to sign the SAML tokens. See note below for additional information about this field
 
 
Note – Address field: This is not necessarily the FQDN of the ADFS server. It is the name of the service. To verify the service name in ADFS, open the AD FS console, select Service, and click on Edit Federation Service
 
  1. It should match the Federation Service Name.
Note - Signing Certificate: The signing certificate can be retrieved from the ADFS server. Open the AD FS Console, Select Certificates, right click on the Token-signing certificate and choose View Certificate. Once the certificate is open you can select Copy to File from the Details tab to export the certificate. Once exported, you can copy to the Storefront server and import.
 
 
  1. Next, Select Service Provider Option.
  • Service Provider Identifier – The Storefront store that is using SAML.  To configure the store name add Auth to the store name. Example:
  • Store name:                                     https://sfserver.domain.com /Citrix/local
  • Service Provider Identifier:           https://sfserver.domain.com /Citrix/localAuth
 

 

Create a Relying Party Trust in ADFS

  1. From the AD FS Console, select Relying Party Trust and in the actions pane select Add Relying Party Trust

 
 
  1. At the initial screen hit Start
  2. At the Data Source screen select Enter Data about the relying party manually and click Next
  1. Enter a Display Name and hit Next
  2. At the Chose Profile Screen select AD FS  profile
 
  1. Click Next
 
  1. In the Configure URL screen Select Enable support for SAML 2.0 WebSSO protocol. Under the relying party SAML URL enter the StoreFront address with Auth added at the end. See screenshot below
  1. In the Configure Identifiers screen, enter the StoreFront base URL and click Add
  1. On the multi-factor authentication screen click Next
  2. On the Choose Issuance Authorization Rules screen, select Permit all users access to relying party and click Next
  3. On the Ready to Add Trust Screen hit Next
  4. On the Finish screen, make sure that the Open the Edit Claim checkbox is checked and hit Close
  1. Next we need to add a Claims Rule. Make sure to select the Issuance Transform Rules and click on Add Rule
  1. Select Send LDAP Attributes as Claims and hit Next
  1. Use the information below to complete the fields.
  • Claim rule name: UPN to Name ID
  • Attribute store: Active Directory
  • LDAP Attribute: User-Principal-Name
  • Outgoing Claim Type: Name ID
  1. Click OK

 

Issue/Introduction

This document describes how authenticate users using Active Directory Federation Services (AD FS) via SAML for users connecting directly to StoreFront (not via a NetScaler gateway).

Powered by Wolken Software