Citrix ADC

Configure Azure AD as SAML IdP and Citrix ADC as SAML SP

September 14, 2021

Contributed by:

The SAML Service Provider (SP) is a SAML entity that is deployed by the service provider. When a user tries to access a protected application, the SP evaluates the client request. If the client is unauthenticated (does not have a valid NSC_TMAA or NSC_TMAS cookie), the SP redirects the request to the SAML Identity Provider (IdP). The SP also validates SAML assertions that are received from the IdP.

The SAML IdP (Identity Provider) is a SAML entity that is deployed on the customer network. The IdP receives requests from the SAML SP and redirects users to a logon page, where they must enter their credentials. The IdP authenticates these credentials with the user directory (external authentication server, such as LDAP) and then generates a SAML assertion that is sent to the SP. The SP validates the token, and the user is then granted access to the requested protected application.

The following diagram depicts the SAML authentication mechanism.

SAML mechanism

Azure AD side configurations

Configure single sign-on settings:

On the Azure portal, click Azure Active Directory.
Under Manage section in the navigation pane, click Enterprise Applications. A random sample of the applications in your Azure AD tenant appears.
In the search bar, enter Citrix ADC.
Under the Manage section, select Single sign-on.
Select SAML to configure single sign-on. The Set up Single Sign-On with SAML - Preview page appears. Here, Azure is acting as a SAML IdP.
Download certificate (Base64) present under SAML Signing Certificate to be used as samlidPCertName while configuring Citrix ADC as SAML SP.
Configure basic SAML options:

Identifier (Entity ID) - Required for some apps. Uniquely identifies the application for which single sign-on is being configured. Azure AD sends the identifier to the application as the audience parameter of the SAML token. The application is expected to validate it. This value also appears as the Entity ID in any SAML metadata provided by the application.

Reply URL - Mandatory. Specifies where the application expects to receive the SAML token. The reply URL is also referred as the Assertion Consumer Service (ACS) URL.

Sign-on URL - When a user opens this URL, the service provider redirects to Azure AD to authenticate and sign on the user.

Relay State - Specifies to the application where to redirect the user after the authentication is complete.

Citrix ADC side configurations

Navigate to Security>AAA-Policies>Authentication>Basic Policies>SAML.
Select Servers tab, click Add, enter values for the following parameters, and click Create.

Parameter description:

The value for parameters in bold needs to be taken from the Azure side configurations.

Name - Name of the server

Redirect URL - Enter the login URL used previously in the Azure AD “Setup Citrix ADC” section. https://login.microsoftonline.com/3e6d1786-4e0c-4c70-86d2-ae7811f97f79/saml2

Single Logout URL - https://login.microsoftonline.com/3e6d1786-4e0c-4c70-86d2-ae7811f97f79/saml2

SAML Binding - POST

Logout Binding - REDIRECT

IDP Certificate Name - IdPCert Certificate (Base64) present under SAML Signing Certificate.

User Field - userprincipalName. Taken from “User Attributes and Claims” section of Azure IdP.

Signing Certificate Name - Not needed for Azure AD. Select the SAML SP certificate (with private key) that Citrix ADC uses to sign authentication requests to the IdP. The same certificate (without private key) must be imported to the IdP, so that the IdP can verify the authentication request signature. This field is not needed by most IdPs.

IssuerName - Identifier. https://idp.g.nssvctesting.net

Reject unsigned assertion - ON

Audience - Audience for which assertion sent by IdP is applicable. This is typically entity name or URL that represents ServiceProvider.

Signature Algorithm - RSA-SHA256

Digest Method - SHA256

Default Authentication Group - The default group that is chosen when the authentication succeeds in addition to extracted groups.

Group Name Field - Name of the tag in assertion that contains user groups.

Skew Time (mins) - This option specifies the allowed clock skew in number of minutes that Citrix ADC ServiceProvider allows on an incoming assertion.

Two factor - OFF

Requested Authentication Context - exact

Authentication Class Type - None

Send Thumbprint - OFF

Enforce Username - ON

Force Authentication - OFF

Store SAML Response - OFF

Similarily, create a corresponding SAML policy and bind it to the authentication virtual server.

Note: Azure AD does not expect the Subject ID field in the SAML request. For Citrix ADC to not send the Subject ID field, type the following command on the Citrix ADC command prompt.

nsapimgr_wr.sh -ys call="ns_saml_dont_send_subject"

The official version of this content is in English. Some of the Citrix documentation content is machine translated for your convenience only. Citrix has no control over machine-translated content, which may contain errors, inaccuracies or unsuitable language. No warranty of any kind, either expressed or implied, is made as to the accuracy, reliability, suitability, or correctness of any translations made from the English original into any other language, or that your Citrix product or service conforms to any machine translated content, and any warranty provided under the applicable end user license agreement or terms of service, or any other agreement with Citrix, that the product or service conforms with any documentation shall not apply to the extent that such documentation has been machine translated. Citrix will not be held responsible for any damage or issues that may arise from using machine-translated content.

Configure Azure AD as SAML IdP and Citrix ADC as SAML SP

September 14, 2021

Contributed by:

September 14, 2021

Contributed by:

Configure Azure AD as SAML IdP and Citrix ADC as SAML SP

Azure AD side configurations

Citrix ADC side configurations

In this article