Configure authentication for the endpoints

Authentication provides security for a distributed internet environment by allowing any client with the proper credentials to connect securely to protected application servers from anywhere on the Internet.

The Citrix App Delivery and Security service supports SAML based authentication. Also, authentication is only supported for user defined FQDNs and HTTPS applications.

How it works

The SAML IdP (Identity Provider) is a SAML entity that is deployed on the public internet. The IdP receives requests from the SAML SP and redirects users to a logon page, where they must enter their credentials. The IdP authenticates these credentials with the active directory (external authentication server, such as LDAP) and then generates a SAML assertion that is sent to the SP. The SP validates the token, and the user is then granted access to the requested protected application.

Prerequisites

  1. You have created an environment and a cloud access profile.
  2. You have specified the basic details, such as the name of the application, environment, services, and endpoints by navigating to Applications > New Application. For more information, see Deliver a modern application.
  3. You have configured the required services and end points.
  4. You have set up the FQDN type to User defined and Protocol to HTTPS in the endpoint configuration.

To set up authentication for the endpoints (FQDNs/IP addresses)

  1. Navigate to Applications > Authentication.
  2. In the Deliver an Application page, click Create.
  3. In the Create SAML Identity Provider page, specify values for the following parameters:
    • Name – Name for the SAML IdP.
    • Metadata URL – URL of the XML document that contains information about the SAML server.
    • Issuer Name – The name to be used in requests sent from Citrix ADS to IdP to uniquely identify Citrix ADS.
    • User field – User name. SAML user ID, as provided in the SAML assertion.

    SAML authentication details

  4. Click Create. The IdP you created appears in the Authentication page.

Note:

You can add only one IdP per application.

Bind a service to the IdP

  1. In the Deliver an Application page, select the preferred services in the Services list to bind to the IdP. You can bind the IdP to one or more services as per the requirement. If you select Select All, all the services that are available in the application are authenticated. This is the default option.

    Bind SAML IdP

  2. Select from one of the following options:

    • Click Next to configure content rules and security protection.
    • Click Deploy to start application delivery.

After you have enabled SAML authentication, only authenticated users are allowed to access specific services configured by the admin.

Configure authentication for the endpoints