The authentication, authorization, and auditing traffic management feature supports OAuth and OIDC authentication. It authorizes and authenticates users to services that are hosted on applications such as Google, Facebook, and Twitter.
Points to note
- Citrix ADC Advanced Edition and higher is required for the solution to work.
- A Citrix ADC appliance must be on version 12.1 or later for the appliance to work as OAuth IdP using OpenID-Connect (OIDC) protocol.
- OAuth on a Citrix ADC appliance is qualified for all SAML IdPs that are compliant with “OpenID connect 2.0”.
A Citrix ADC appliance can be configured to behave as a Service Provider (SP) or an Identity Provider (IdP), using SAML and OIDC protocols. Previously, a Citrix ADC appliance configured as IdP supported only SAML protocol, starting Citrix ADC 12.1 version, Citrix ADC supports OIDC protocol as well.
OpenID Connect is an extension to OAuth authorization/delegation. A Citrix ADC appliance supports OAuth and OpenID Connect protocols in the same class of other authentication mechanisms. OpenID Connect is an add-on to OAuth as it provides a way for getting user information from authorization server as opposed to OAuth that gets only a token which cannot be gleaned for user information.
The authentication mechanism facilitates the inline verification of OpenID tokens. A Citrix ADC appliance can be configured to obtain certificates and verify signatures on the token.
A major advantage of using the OAuth and OpenID-Connect mechanisms is that the user information is not sent to the hosted applications. Therefore, the risk of identity theft is considerably reduced.
The Citrix ADC appliance configured for authentication, authorization, and auditing now accepts incoming tokens that are signed using HMAC HS256 algorithm. In addition, the public keys of the SAML Identity Provider (IdP) are read from a file, instead of learning from a URL endpoint.
In the Citrix ADC implementation, the application is accessed by the authentication, authorization, and auditing traffic management virtual server. So, to configure OAuth, you must configure an OAuth policy which must then be associated with an authentication, authorization, and auditing traffic management virtual server.