ADFS integration with Secure Workspace Access

Claim rules are necessary to control the flow of claims through the claims pipeline. Claim rules can also be used to customize the claims flow during the claim rule execution process. For more information about claims, see Microsoft documentation.

To set up ADFS to accept claims from Citrix Secure Workspace Access, you must perform the following steps:

  1. Add claim provider trust in ADFS.
  2. Complete the app configuration on Citrix Secure Workspace Access.

Add claim provider trust in ADFS

  1. Open ADFS management console. Go to ADFS > Trust relationship > Claim provider Trust.
    1. Right-click and select Add Claim Provider Trust. Add claim provider trust wizard

    2. Add an app in Secure Workspace Access that is used to federate to ADFS. For details see, App configuration on Citrix Secure Workspace Access.

    Note:

    First add the app and from the app’s SSO configuration section, you can download the SAML metadata file, and then import the metadata file into ADFS.

    Download SAML metadata

    1. Complete the steps to finish adding claim provider trust. After you complete adding the claim provider trust, a window to edit the claim rule appears.
    2. Add a claim rule with Transform An Incoming Claim. Add a claim rule
    3. Complete the settings as shown in the following figure. If your ADFS accepts other claims, then use those claims and configure SSO in Secure Workspace Access also accordingly. Complete claim rule settings

You have now configured the claim provider trust that confirms ADFS now trusts Citrix Secure Workspace Access for SAML.

Claim Provider trust ID

Make a note of the claim provider trust id that you added. You need this ID while configuring the app in Citrix Secure Workspace Access. Sample claim provider trust ID

Relaying Party Identifier

If your SaaS app is already authenticated using ADFS, then you must already have the Relaying party trust added for that app. You need this ID while configuring the app in Citrix Secure Workspace Access.

Sample relaying party identifier ID

Enable relay state in IdP initiated flow

RelayState is a parameter of the SAML protocol that is used to identify the specific resource the users access after they are signed in and directed to the relying party’s federation server. If RelayState is not enabled in ADFS, users see an error after they authenticate to the resource providers that requires it.

For ADFS 2.0, you must install update KB2681584 (Update Rollup 2) or KB2790338 (Update Rollup 3) to provide RelayState support. ADFS 3.0 has RelayState support built in. In both cases RelayState still needs to be enabled.

To enable the RelayState parameter on your ADFS servers

  1. Open the file.
    • For ADFS 2.0, enter the following file in Notepad: %systemroot%\inetpub\adfs\ls\web.config
    • For ADFS 3.0, enter the following file in Notepad: %systemroot%\ADFS\Microsoft.IdentityServer.Servicehost.exe.config
  2. In the microsoft.identityServer.web section, add a line for useRelyStateForIdpInitiatedSignOn as follows, and save the change: <microsoft.identityServer.web> ... <useRelayStateForIdpInitiatedSignOn enabled="true" /> ...</microsoft.identityServer.web>
    • For ADFS 2.0, run IISReset to restart IIS.
  3. For both platforms, restart the Active Directory Federation Services (adfssrv) service. Note: If you have windows 2016 or Windows 10 then use the following PowerShell command to enable it. Set-AdfsProperties -EnableRelayStateForIdpInitiatedSignOn $true

Link to commands - https://docs.microsoft.com/en-us/powershell/module/adfs/set-adfsproperties?view=win10-ps

App configuration on Citrix Secure Workspace Access

You can either configure the IdP initiated flow or the SP initiated flow. The steps to configure IdP or SP initiated flow in Citrix Secure Workspace Access are the same except that for SP initiated flow, you must select the Launch the app using the specified URL (SP initiated) check box in the UI.

IdP initiated flow

  1. While setting up the IdP initiated flow, configure the following.
  2. SAML SSO configuration.

    The following are the default values of the ADFS server. If any of the values are changed, get the correct values from the metadata of the ADFS server. Federation metadata of the ADFS server can be downloaded from its federation metadata endpoint, whose endpoint can be known from ADFS > Service > Endpoints.

    • Assertion URLhttps://<adfs fqdn>/adfs/ls/
    • Relay State – Relay state is important for the IdP initiated flow. Follow this link to construct it properly - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/jj127245(v=ws.10)

      Example: RPID=https%3A%2F%2Fdev98714.service-now.com&RelayState=https%3A%2F%2Fdev98714.service-now.com%2F

    • Audiencehttp://<adfsfqdn>/adfs/services/trust
    • For the other SAML SSO configuration settings, see to the following image. For more details, see https://docs.citrix.com/en-us/citrix-gateway-service/support-saas-apps.html

    SAML metadata configuration

  3. Save and subscribe the app to the user.

SP initiated flow

For SP initiated flow, configure the settings as captured in the IDP initiated flow section. In addition, enable the Launch the app using the specified URL (SP initiated) check box.

ADFS integration with Secure Workspace Access