Use an on-premises Citrix Gateway as the identity provider for Citrix Cloud
Citrix Cloud can now use on-premises Citrix Gateway for end-user authentication into Citrix Workspace.
Citrix Gateway authentication is supported for use with the following product versions:
- Citrix Gateway 13.0 41.20 Advanced edition or later
- Citrix Gateway 12.1 54.13 Advanced edition or later
Configuring on-premises gateway as the identity provider for Citrix Cloud involves the following tasks.
On the Citrix Cloud side, generate the client ID, secret, and redirect URL. For details, see Connect an on-premises Citrix Gateway to Citrix Cloud.
Create an OAuth IDP policy on the on-premises gateway to create the connection. For details see, Create an OAuth IDP policy on the on-premises gateway.
On the Citrix Cloud side, Click Test and Finish. If the connection is successful, on the Authentication tab, Active Directory + Gateway AAA entry is marked as enabled. For details, see Connect an on-premises Citrix Gateway to Citrix Cloud.
Create an OAuth IDP policy on the on-premises Citrix Gateway
Creating an OAuth IDP authentication policy involves the following tasks:
Create an OAuth IDP profile.
Add an OAuth IDP policy.
Bind the OAuth IDP policy to an authentication virtual server.
Bind the certificate globally.
You must have generated the client ID, secret, and redirect URL in Citrix Cloud > Identity and Access Management > Authentication tab.
Creating an OAuth IDP profile by using the CLI
At the command prompt, type;
add authentication OAuthIDPProfile <name> [-clientID <string>] [-clientSecret ] [-redirectURL <URL>] [-issuer <string>] [-sendPassword ( ON | OFF )]
add authentication OAuthIDPProfile oauthidp_staging -clientID <client> -clientSecret <Secret from client> -redirectURL "<url from client>" -sendPassword ON
add authentication OAuthIdPPolicy <name> -rule <expression> -action <string>
add authentication OAuthIdPPolicy oauthidp_staging -rule true -action oauthidp_staging
bind authentication vserver <name> [-policy <string> [-priority <positive_integer>] [-gotoPriorityExpression <expression>]] [-portaltheme <string>]
bind authentication vserver auth -policy oauthidp_staging -priority 10 -gotoPriorityExpression next
bind vpn global -certkeyName MyCertKeyName
Creating an OAuth IDP profile by using the GUI
Prerequisites: You must have generated the client ID, secret, and redirect URL.
1. Navigate to Security > AAA – Application Traffic > Policies > Authentication > Advanced Policies > OAuth IDP.
2. Select the Profiles tab and click Add.
3. Configure the OAuth IDP profile.
Copy and paste the client ID, secret, and Redirect URL values from Citrix Cloud > Identity and Access Management > Authentication tab to establish the connection to Citrix Cloud.
You must also copy and paste the client ID in the Audience field as well.
Send Password: Enable this option for single sign-on support. This option is disabled by default.
4. In OAuth IDP page, select Policies and click Add.
5. Configure the OAuth IDP policy.
6. Bind the OAuth IDP policy to the authentication, authorization, and auditing authentication virtual server. For details see, Binding Authentication Policies.
Note: When sendPassword is set to ON (OFF by default), user credentials are encrypted and passed through a secure channel to Citrix Cloud. This in turn allows you to enable SSO to Citrix Virtual Apps and Desktops upon launch.