Citrix ADC as an Active Directory Federation Services proxy

Active Directory Federation Services (ADFS) is a Microsoft service that enables single sign-on (SSO) experience for Active Directory-authenticated clients to resources outside the enterprise data center. An ADFS server farm allows internal users to access external cloud-hosted services. But the moment external users are brought into the mix, the external users must be given a way to connect remotely and access cloud-based services through federated identity. Most enterprises do not prefer keeping the ADFS server exposed in the DMZ. Therefore, ADFS proxy plays a critical role in remote user connectivity and application access.

For more than a decade, Citrix ADC appliance is playing similar roles of remote user connectivity, and application access. Citrix ADC appliance becomes the preferred solution to be used as ADFS proxy for supporting a new ADFS implementation to enable the following services:

  • Secure connectivity.
  • Authentication and handling of federated identity.

For more information about Citrix ADC as a SAML IdP, see Citrix ADC as a SAML IdP.

Advantages of ADFS proxy

  • Reduces the footprint in DMZ to cater the need for most of the enterprises.
  • Provides an SSO experience for end users.
  • Supports rich methods for pre-authentication and enables multifactor authentication.
  • Supports both active and passive clients.

Prerequisites for using Citrix ADC as ADFS proxy

Before you configure the Citrix ADC appliance as ADFS proxy, make sure the following prerequisites are met.

  • A Citrix ADC appliance with 12.1 build or later.
  • Domain ADFS server.
  • Domain SSL certificate.
  • Virtual IP for Content Switching virtual server.
  • Enable Load Balancing, SSL Offload, Content Switching, Rewrite, and authentication, authorization, and auditing traffic management features on Citrix ADC appliance.

Configure Citrix ADC appliance as ADFS proxy

To achieve this use case, you configure Citrix ADC as ADFS proxy in DMZ zone. The ADFS server is configured along with the AD domain controller in the back-end.

ADFS proxy

  1. A client request to access Microsoft Office365 gets redirected to Citrix ADC deployed as ADFS proxy.

  2. User’s credentials are passed to ADFS server.

  3. ADFS server authenticates the credentials with on-premises AD of the domain.

  4. ADFS server upon successful validation of credentials with AD, generates a token which is passed to Microsoft Office365 for session establishment.

The following are the high-level steps involved in configuring Citrix ADC appliance before you configure as ADFS proxy.

At the Citrix ADC command prompt, type the following commands:

  1. Create an SSL profile for back end and enable SNI in the SSL profile. Disable SSLv3/TLS1.

    add ssl profile <new SSL profile> -sniEnable ENABLED -ssl3 DISABLED -tls1 DISABLED -commonName <FQDN of ADFS>

  2. Disable SSLv3/TLS1 for the service.

    set ssl service <adfs service name> -sslProfile ns_default_ssl_profile_backend

  3. Enable SNI extension for back-end server handshakes.

    • set vpn parameter –backendServerSni ENABLED
    • set ssl parameter -denySSLReneg NONSECURE

Configure Citrix ADC appliance as ADFS proxy using the CLI

The following sections are categorized based on the requirement to complete the configuration steps.

To configure ADFS service

  1. Configure ADFS service on Citrix ADC for ADFS server.

    add service <Domain_ADFS_Service> <ADFS Server IP> SSL 443 -gslb NONE -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -sp OFF -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NO

Example

add service CTXTEST_ADFS_Service 1.1.1.1 SSL 443 -gslb NONE -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -sp OFF -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NO
  1. Configure FQDN for content switching virtual server and enable SNI.

    set ssl service <Domain_ADFS_Service> -SNIEnable ENABLED -commonName <sts.domain.com>

Example

set ssl service CTXTEST_ADFS_Service -SNIEnable ENABLED -commonName sts.ctxtest.com

To configure ADFS load balancing virtual server

Important

Domain SSL certificate (SSL_CERT) is required for secure traffic.

  1. Configure ADFS load balancing virtual server.

    add lb vserver <Domain_ADFS_LBVS> SSL <IP_address> -persistenceType NONE -cltTimeout 180

    Example

    add lb vserver CTXTEST_ADFS_LBVS SSL 192.168.1.0 -persistenceType NONE -cltTimeout 180

  2. Bind ADFS load balancing virtual server to ADFS service.

    bind lb vserver <Domain_ADFS_LBVS> <Domain_ADFS_Service>

    Example

    bind lb vserver CTXTEST_ADFS_LBVS CTXTEST_ADFS_Service

  3. Bind an SSL virtual server certificate-key pair.

    bind ssl vserver <Domain_ADFS_LBVS> -certkeyName <SSL_CERT>

    Example

    bind ssl vserver CTXTEST_ADFS_LBVS -certkeyName ctxtest_newcert_2019

To configure content switching virtual server for domain

Note

One free virtual IP (for example, 2.2.2.2), which is Natted to public IP is required for content switching virtual server. It must be reachable for both external and internal traffic.

  1. Create a content switching virtual server with free VIP.

    add cs vserver <Domain_CSVS> SSL <FREE VIP> 443 -cltTimeout 180 -persistenceType NONE

    Example

    add cs vserver CTXTEST_CSVS SSL 2.2.2.2 443 -cltTimeout 180 -persistenceType NONE

  2. Bind content switching virtual server to load balancing virtual server.

    bind cs vserver <Domain_CSVS> -lbvserver <Domain_ADFS_LBVS>

    Example

    • bind cs vserver CTXTEST_CSVS -lbvserver CTXTEST_ADFS_LBVS
    • set ssl vserver CTXTEST_CSVS -sessReuse DISABLED
  3. Bind an SSL virtual server certificate-key pair.

    bind ssl vserver <Domain_CSVS> -certkeyName <SSL_CERT>

    Example

    bind ssl vserver CTXTEST_CSVS -certkeyName ctxtest_newcert_2019

Supported protocols

The Microsoft provided protocols plays a vital role in integrating with Citrix ADC appliance. Citrix ADC as ADFS proxy supports the following protocols:

Note

Citrix ADC appliance does not support device certificate authentication when deployed as an ADFS proxy.