Active Directory Federation Service Proxy Integration Protocol compliance

Note: Support for Active Directory Federation Service Proxy Integration Protocol is currently in technical preview release.

A system comprised of Active Directory Federation Services (ADFS) and a proxy server provides security services for your application located inside the corporate boundaries. This system provides authentication, authorization, and access to resources residing within the corporate security boundaries, on-premises or cloud, for clients outside that corporate security perimeter.

Citrix ADC appliance has a native proxy server that can leverage ADFS Proxy Integration Protocol (ADFSPIP) to establish Trust between the proxy server and the ADFS farm.

Prerequisites

In order to successfully establish Trust between the proxy server and the ADFS farm, review the following configuration in the Citrix ADC appliance:

  • Disable default SSL profile for backend and enable SNI in the SSL profile for backend. At the command prompt, type the following command:

    set ssl profile ns_default_ssl_profile_backend -sniEnable ENABLED -ssl3 DISABLED -tls1 DISABLED

  • Disable SSLv3/TLS1 for the service. At the command prompt, type the following command:

    set ssl service [adfs service name] -sslProfile ns_default_ssl_profile_backend

  • Enable defaultSSlProfile in default SSL parameter. At the command prompt, type the following command:

    set ssl parameter -defaultProfile ENABLED

Authentication mechanism

The following are the high-level flow of events for the authentication.

  1. Establish Trust with ADFS server – Citrix ADC server establishes Trust with the ADFS server by registering a client certificate. Once the Trust is established, the Citrix ADC appliance re-establishes the trust after reboot without user intervention.

    Upon certificate expiry you need to restablish the Trust by removing and adding ADFS proxy profile again.

  2. Insert headers to client requests – When the Citrix ADC appliance tunnels client requests, the HTTP headers related to ADFSPIP are added in the packet while sending them to ADFS server. You can implement access control at the ADFS server based on these header values. The following headers are supported.
    • X-MS-Proxy
    • X-MS-Endpoint-Absolute-Path
    • X-MS-Forwarded-Client-IP
    • X-MS-Proxy
    • X-MS-Target-Role
    • X-MS-ADFS-Proxy-Client-IP
  3. Manage end-user traffic – End-user traffic is routed securely to the desired resources.

    Note: Citrix ADC appliance uses form based authentication.

Configure Citrix ADC to work with ADFS server

Prerequisites

  • Configure Context Switching (CS) server as front-end with AAA server behind CS. At the command prompt, type:

    • add cs vserver [cs vserver name] SSL 10.220.xxx.xx 443 -cltTimeout 180 -AuthenticationHost [adfs server hostname] -Authentication OFF -persistenceType NONE

    • add cs action [action name1] -targetLBVserver [lb vserver name]

    • add cs action [action name2] -targetLBVserver [lb vserver name]

    • add cs policy [policy name1] -rule “ http.req.url.contains("/adfs/services/trust")   http.req.url.contains("federationmetadata/2007-06/federationmetadata.xml")” -action [action name1]
    • add cs policy [policy name2] -rule “HTTP.REQ.URL.CONTAINS("/adfs/ls")” -action [action name2]

    • bind cs vserver [cs vserver name] -policyName [policy name1] -priority 100

    • bind cs vserver [cs vserver name] -policyName [policy name2] -priority 110

    • bind cs vserver [cs vserver name] -lbvserver [lb vserver name]
  • Add ADFS service. At the command prompt, type:

    • add service [adfs service name] [adfs server ip] SSL 443

    • set ssl service [adfs service name] -sslProfile ns_default_ssl_profile_backend

  • Add a load balanced virtual server. At the command prompt, type:

    • add lb vserver [lb vserver name] SSL 0.0.0.0 0

    • set ssl vserver [lb vserver name] -sslProfile ns_default_ssl_profile_frontend

  • Bind service to the load balanced server. At the command prompt, type:

    • bind lb vserver [lb vserver name] [adfs service name]

To configure Citrix ADC to work with ADFS server you need to do the following:

  1. Create an SSL CertKey profile key to use with ADFS proxy profile
  2. Create a ADFS proxy profile
  3. Associate the ADFS proxy profile to the LB virtual server

Create an SSL certificate with private key to use with ADFS proxy profile

At the command prompt, type:

add ssl certkey <certkeyname> –cert <certificate path> -key <keypath>

Note: The Certificate file and the key file must be present in the Citrix ADC appliance. Create a ADFS proxy profile using CLI

At the command prompt, type:

add authentication adfsProxyProfile  <profile name> -serverUrl <https://<server FQDN or IP address>/> -username <adfs admin user name> -password <password for admin user> -certKeyName <name of the CertKey profile created above>

where;

Profile name – Name of the AFDS proxy profile to be created

ServerUrl – Fully qualified domain name of the ADFS service including protocol and port. For example, https://adfs.citrix.com

Username – Username of an admin account that exists on ADFS server

Password – Password of the admin account used as username

certKeyName – Name of the previously created SSL CertKey profile

Associate the ADFS proxy profile to the load balancing virtual server using CLI

In the ADFS deployment, there are two load balancing virtual severs, one for the client traffic and the other one for metadata exchange. The ADFS proxy profile must be associated with the load balancing virtual server that is front-ending the ADFS server.

At the command prompt, type:

set lb vserver <adfs-proxy-lb> -adfsProxyProfile <name of the ADFS proxy profile>

Active Directory Federation Service Proxy Integration Protocol compliance