Use Azure AD as IdP for Citrix NetScaler (FAS) 2

Azure AD - Citrix FAS

Since Citrix XenApp and XenDesktop 7.9 the Federated Authentication Service (FAS) is available. Citrix FAS allows a user to login via SAML instead of basic LDAP. This can be any SAML IdP like Google, Okta, Imprivata or Windows Azure Active Directory. In this blogpost i’ll show you how to configure Azure Active Directory for Citrix FAS.

Citrix provided a detailed guide for the initial Citrix FAS configuration: http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-9/secure/federated-authentication-service.html also Carl Stalhood wrote a blogpost on how to integratate Citrix FAS with Microsoft AD FS: http://www.carlstalhood.com/citrix-federated-authentication-service-saml/

Configure Azure AD

After that we have configured Citrix FAS internally we can now configure Azure AD. Sign-in to the Azure portal (i’ll used the classic management page https://manage.windowsazure.com) Then go to your Active Directory within Azure and open the required Active Directory.

Azure AD - Citrix FAS

Create Azure AD Application

Next, go to applications and click Add. Select the option “Add an application from the galary”:

Azure AD - Citrix FAS - Add Application

Choose Custom Application and give it a name and click next:

Azure AD - Citrix FAS - Custom Application

Now the application has been created and we can configure the details:Azure AD - Citrix FAS - Application created

Configure SSO

Now we have to configure the defails for this application, so click “Configure single sign-on”. The first question we will get is how we want to authentication for this application. Select Microsoft Azure AD Single Sign-On and click next.

Azure AD - Citrix FAS

The next page will bring you the important information. Make sure to download the certificate in Base 64 format, you’ll need this certificate later! Also make note of the singe sign-on server url. Select he confirmation checkbox and click next.

Azure AD - Citrix FAS - Single Sign-On details

When the configuration is finished you should get the following confirmation screen (if it fails try to repeat this proces via Google Chrome!)

Azure AD - Citrix FAS - SSO Confirmation

Assign Users

Next we have to assign the users that are allowed to use this Azure AD Application. Choose the Assign Accounts option:

Azure AD - Citrix FAS - Assign Users

Select one ore more accounts that you want to give access to this application and select assign:

Azure AD - Citrix FAS - Assign Users

This completes the Azure AD configuration for Citrix FAS. Now we need to configure NetScaler Gateway to use Azure AD as the IdP for authentication.

Citrix NetScaler

Now that we have configured Azure AD we start with configuring NetScaler to use Azure AD as SAML IdP.

Add Certificate

First we need to add the certificate that we’ve downloaded during the Azure AD application creation. If you use NetScaler build 11.1 the Azure AD certificate shows up as a CA certificate.

Azure AD - Citrix FAS - NetScaler certificate

Create SAML Authentication Policy

After the certificate is added to the NetScaler configuration we can create the SAML authentication policy and action via NetScaler Gateway > Authentication > SAML (not SAML IdP).

IDP Certificate = the certificate we gained from Azure AD.

Redirect URL = the URL we gained from Azure AD

Single Logout URL = the same URL as the Redirect URL

Signing Certificate = the same server certificate as we use on the NetScaler Gateway Virtual Server

Issuer Name = FQDN of the NetScaler Gateway Virtual Server

Azure AD - Citrix FAS - NetScaler SAML Action

After we’ve created the SAML Authentication server we have to create the SAML Authentication policy:

Azure AD - Citrix FAS - NetScaler SAML Policy

Bind policy to Virtual Server

To complete the configuration we can now bind this SAML Authentication Policy to the NetScaler Gateway Virtual Server that is used for Citrix Federated Authentication Service. Instead of binding a LDAP or RADIUS policy we bind a SAML iDP policy to the NetScaler Gateway:

Azure AD - Citrix FAS - NetScaler Bind SAML policy

This completes the NetScaler Gateway configuration to use Azure AD as a IdP.

Result

If we browse to our NetScaler Gateway FQDN we should get redirected to Azure AD for authentication:

Azure AD - Citrix FAS - Result

This also works if you have are using Active Directory Federation Services together with Azure AD. Azure AD will redirect you to the AD FS FQDN for authentication. After succesfull authentication Azure AD will provide the SAML Assertion to NetScaler Gateway and the user is succesfully authentication.

Azure AD - Citrix FAS - Result

Citrix Federatated Authentication Service

Keep in mind that if the goal is to use Azure AD as a IdP for Citrix FAS there need to be a similarity in the UPN of the user. So in other words the UPN or email adress that comes with the SAML Assertion needs to be available within your on-prem active directory either on the user account object itself or via a shadow account.

Conclusion

In this blogpost I showed you how you can use Azure Active Directory as a IdP for NetScaler Gateway and Citrix Federated Authentication Service.

2 thoughts on “Use Azure AD as IdP for Citrix NetScaler (FAS)

  1. Reply Arthur Blakely Jan 12,2017 4:37 pm

    Have you tried using receiver with this setup? I am trying and so far no luck

Leave a Reply

  

  

  

Visit Us On TwitterVisit Us On Linkedin