Use an on-premises Citrix Gateway as the identity provider for Citrix Cloud
Citrix Cloud supports using an on-premises Citrix Gateway as an identity provider to authenticate subscribers signing in to their workspaces.
By using Citrix Gateway authentication, you can:
- Continue authenticating users through your existing Citrix Gateway so they can access the resources in your on-premises Virtual Apps and Desktops deployment through Citrix Workspace.
- Use the Citrix Gateway authentication, authorization, and auditing (Citrix ADC AAA) functions with Citrix Workspace.
- Use features such as pass-through authentication, smart cards, secure tokens, conditional access policies, federation, and many others while providing your users access to the resources they need through Citrix Workspace.
Citrix Gateway authentication is supported for use with the following product versions:
- Citrix Gateway 13.0 41.20 Advanced edition or later
- Citrix Gateway 12.1 54.13 Advanced edition or later
Cloud Connectors - You need at least two servers on which to install the Citrix Cloud Connector software.
Active Directory - Perform the necessary checks.
Citrix Gateway requirements
Use advanced policies on the on-premises gateway due to deprecation of classic policies.
When configuring the Gateway for authenticating subscribers to Citrix Workspace, the gateway acts as an OpenID Connect provider. Messages between Citrix Cloud and Gateway conform to the OIDC protocol, which involves digitally signing tokens. Therefore, you must configure a certificate for signing these tokens.
Clock synchronization - The Gateway must be synchronized to NTP time.
For details, see Prerequisites.
Create an OAuth IdP policy on the on-premises Citrix Gateway
You must have generated the client ID, secret, and redirect URL in Citrix Cloud > Identity and Access Management > Authentication tab. For details, see Connect an on-premises Citrix Gateway to Citrix Cloud.
Creating an OAuth IdP authentication policy involves the following tasks:
Create an OAuth IdP profile.
Add an OAuth IdP policy.
Bind the OAuth IdP policy to an authentication virtual server.
Bind the certificate globally.
Creating an OAuth IdP profile by using the CLI
At the command prompt, type;
add authentication OAuthIDPProfile <name> [-clientID <string>] [-clientSecret ] [-redirectURL <URL>] [-issuer <string>] [-sendPassword ( ON | OFF )] add authentication OAuthIdPPolicy <name> -rule <expression> -action <string> bind authentication vserver <name> [-policy <string> [-priority <positive_integer>] [-gotoPriorityExpression <expression>]] [-portaltheme <string>] bind vpn global –certkey <certkeyName>
add authentication OAuthIDPProfile oauthidp_staging -clientID <client> -clientSecret <Secret from client> -redirectURL "<url from client>" -issuer <https://GatewayFQDN.com> -sendPassword ON add authentication OAuthIdPPolicy oauthidp_staging -rule true -action oauthidp_staging bind authentication vserver auth -policy oauthidp_staging -priority 10 -gotoPriorityExpression next bind vpn global -certkeyName MyCertKeyName
Creating an OAuth IdP profile by using the GUI
Navigate to Security > AAA – Application Traffic > Policies > Authentication > Advanced Policies > OAuth IDP.
In the OAuth IDP page, select the Profiles tab and click Add.
Configure the OAuth IdP profile.
Copy and paste the client ID, secret, and Redirect URL values from Citrix Cloud > Identity and Access Management > Authentication tab to establish the connection to Citrix Cloud.
Enter the Gateway URL correctly in the Issuer Name Example: https://GatewayFQDN.com
Also copy and paste the client ID in the Audience field as well.
Send Password: Enable this option for single sign-on support. This option is disabled by default.
In OAuth IDP page, select Policies and click Add.
Configure the OAuth IdP policy.
Bind the OAuth IdP policy to the authentication, authorization, and auditing authentication virtual server.
- Navigate to Security > AAA - Application Traffic > Virtual Servers.
- Select the virtual server to which you want to bind the policy, and then click Edit.
- In Advanced Authentication Policies, click > next to No OAuth IDP Policy.
- In the Authentication OAuth IDP Policy page, click Add Binding.
- In Select Policy, select the OAuth IdP policy.
- Click Bind.
When sendPassword is set to ON (OFF by default), user credentials are encrypted and passed through a secure channel to Citrix Cloud. Passing user credentials through a secure channel allows you to enable SSO to Citrix Virtual Apps and Desktops upon launch.
Support for active-active GSLB deployments on Citrix Gateway
Citrix Gateway configured as an Identity Provider (IdP) using the OIDC protocol can support active-active GSLB deployments. The active-active GSLB deployment on Citrix Gateway IdP provides the capability to load balance an incoming user login request across multiple geographic locations.
Citrix recommends you to bind CA certificates to the SSL service and enable certificate validation on the SSL service for enhanced security.
For more information on configuring GSLB setup, see Example of a GSLB setup and configuration.