Gateway

Configuring Single Sign-On to Web Applications

You can configure NetScaler Gateway to provide single sign-on to servers in the internal network that use web-based authentication. With single sign-on, you can redirect the user to a custom home page, such as a SharePoint site or to the Web Interface. You can also configure single sign-on to resources through the Citrix Secure Access client from a bookmark configured on the home page or a web address that users type in the web browser.

If you are redirecting the home page to a SharePoint site or Web Interface, provide the web address for the site. When users are authenticated, either by NetScaler Gateway or an external authentication server, users are redirected to the specified home page. User credentials are passed transparently to the web server. If the web server accepts the credentials, users are logged on automatically. If the web server denies the credentials, users receive an authentication prompt asking for their user name and password.

You can configure single sign-on to web applications globally or by using a session policy.

To configure single sign-on to web applications globally

  1. In the configuration utility, on the Configuration tab, in the navigation pane, expand NetScaler Gateway and then click Global Settings.
  2. In the details pane, under Settings, click Change global settings.
  3. On the Client Experience tab, click Single sign-on to Web Applications and then click OK.

To configure single sign-on to web applications by using a session policy

  1. In the configuration utility, on the Configuration tab, in the navigation pane, expand NetScaler Gateway > Policies and then click Session.
  2. In the details pane, on the Policies tab, select a session policy and then click Open.
  3. In the Configure Session Policy dialog box, next to Request Profile, click Modify.
  4. On the Client Experience tab, next to Single Sign-On to Web Applications, click Global Override, click Single Sign-On to Web Applications and then click OK.

To define the HTTP port for single sign-on to web applications

Single sign-on is attempted only for network traffic where the destination port is considered an HTTP port. To allow single sign-on to applications that use a port other than port 80 for HTTP traffic, add one or more port numbers on NetScaler Gateway. You can enable multiple ports. The ports are configured globally.

  1. In the configuration utility, on the Configuration tab, in the navigation pane, expand NetScaler Gateway and then click Global Settings.

  2. In the details pane, under Settings, click Change global settings.

  3. On the Network Configuration tab, click Advanced Settings.

  4. Under HTTP Ports, type the port number, click Add and then click OK twice.

    You can repeat Step 4 for each port you want to add.

Note: If web applications in the internal network use public IP addresses, single sign-on does not function. To enable single sign-on, split tunneling must be enabled as part of the global policy setting, regardless if clientless access or the Citrix Secure Access client is used for user device connections. If it is not possible to enable split tunneling on a global level, create a virtual server that use a private address range.

Configuring Single Sign-On to Web Applications