Since Citrix XenApp and XenDesktop 7.9 the Federated Authentication Service (FAS) is available. Citrix FAS allows a user to login via SAML instead of basic LDAP. This can be any SAML IdP like Google, Okta, Imprivata or Windows Azure Active Directory. In this blogpost i’ll show you how to configure Azure Active Directory for Citrix FAS.
Citrix provided a detailed guide for the initial Citrix FAS configuration: http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-9/secure/federated-authentication-service.html also Carl Stalhood wrote a blogpost on how to integratate Citrix FAS with Microsoft AD FS: http://www.carlstalhood.com/citrix-federated-authentication-service-saml/
Configure Azure AD
After that we have configured Citrix FAS internally we can now configure Azure AD. Sign-in to the Azure portal (i’ll used the classic management page https://manage.windowsazure.com) Then go to your Active Directory within Azure and open the required Active Directory.
Create Azure AD Application
Next, go to applications and click Add. Select the option “Add an application from the galary”:
Choose Custom Application and give it a name and click next:
Now we have to configure the defails for this application, so click “Configure single sign-on”. The first question we will get is how we want to authentication for this application. Select Microsoft Azure AD Single Sign-On and click next.
The next page will bring you the important information. Make sure to download the certificate in Base 64 format, you’ll need this certificate later! Also make note of the singe sign-on server url. Select he confirmation checkbox and click next.
When the configuration is finished you should get the following confirmation screen (if it fails try to repeat this proces via Google Chrome!)
Next we have to assign the users that are allowed to use this Azure AD Application. Choose the Assign Accounts option:
Select one ore more accounts that you want to give access to this application and select assign:
This completes the Azure AD configuration for Citrix FAS. Now we need to configure NetScaler Gateway to use Azure AD as the IdP for authentication.
Now that we have configured Azure AD we start with configuring NetScaler to use Azure AD as SAML IdP.
First we need to add the certificate that we’ve downloaded during the Azure AD application creation. If you use NetScaler build 11.1 the Azure AD certificate shows up as a CA certificate.
Create SAML Authentication Policy
After the certificate is added to the NetScaler configuration we can create the SAML authentication policy and action via NetScaler Gateway > Authentication > SAML (not SAML IdP).
IDP Certificate = the certificate we gained from Azure AD.
Redirect URL = the URL we gained from Azure AD
Single Logout URL = the same URL as the Redirect URL
Signing Certificate = the same server certificate as we use on the NetScaler Gateway Virtual Server
Issuer Name = FQDN of the NetScaler Gateway Virtual Server
After we’ve created the SAML Authentication server we have to create the SAML Authentication policy:
Bind policy to Virtual Server
To complete the configuration we can now bind this SAML Authentication Policy to the NetScaler Gateway Virtual Server that is used for Citrix Federated Authentication Service. Instead of binding a LDAP or RADIUS policy we bind a SAML iDP policy to the NetScaler Gateway:
This completes the NetScaler Gateway configuration to use Azure AD as a IdP.
If we browse to our NetScaler Gateway FQDN we should get redirected to Azure AD for authentication:
This also works if you have are using Active Directory Federation Services together with Azure AD. Azure AD will redirect you to the AD FS FQDN for authentication. After succesfull authentication Azure AD will provide the SAML Assertion to NetScaler Gateway and the user is succesfully authentication.
Citrix Federatated Authentication Service
Keep in mind that if the goal is to use Azure AD as a IdP for Citrix FAS there need to be a similarity in the UPN of the user. So in other words the UPN or email adress that comes with the SAML Assertion needs to be available within your on-prem active directory either on the user account object itself or via a shadow account.
In this blogpost I showed you how you can use Azure Active Directory as a IdP for NetScaler Gateway and Citrix Federated Authentication Service.