Citrix Gateway

Configuring Citrix Gateway Virtual Server for Microsoft ADAL Token Authentication

To configure a Citrix Gateway virtual server for monitoring Microsoft ADAL token authentication, you need the following information:

  • certEndpoint: the URL of the endpoint that contains the JSON Web Key (JWK) for ADAL token verification.
  • Audience: FQDN of the Citrix ADC virtual server to which the app sends the ADAL token.
  • Issuer: Name of the AAD issuer. Gets populated by default.
  • TenantID: Tenant ID for Azure ADAL registration.
  • ClientID: A unique ID given to the Gateway app as part of ADAL registration.
  • ClientSecret: A secret key given to the Gateway app as part of ADAL registration.
  • ResourceURI: An optional parameter to capture the resource URI. If not configured, Citrix ADC uses Azure commercial resource URI.

Perform the following steps using the command line interface:

  1. Create an OAuth action.

    add authentication OAuthAction <oauth-action-name> -OAuthType <INTUNE> –clientid <clientID> -clientsecret <client-secret> -audience <audience name> -tenantid <tenantID> -issuer <issuer-name> -userNameField <upn> -certEndpoint <certEndpoint-name> -resourceURI <name of resource URI>
    
  2. Create an authentication policy to associate with the newly created OAuth action.

    add authentication Policy <policy-name> -rule <true> -action <oauth intune action>
    
  3. Bind the newly created OAuth to AuthVS.

    bind authentication vserver <auth-vserver> -policy <oauth-intune-policy> -priority 2 -gotoPriorityExpression END
    
  4. Create a LoginSchema.

    add authentication loginSchema <loginSchemaName> -authenticationSchema <authenticationSchema”location”>
    add authentication loginSchemaPolicy <loginSchemaPolicyName> -rule true -action <loginSchemaName>
    
  5. Bind AuthVS with LoginSchema.

    bind authentication vserver <auth-vs> -policy <oauth-pol> -priority 2 -gotoPriorityExpression END
    
  6. Add an authentication profile and assign it to a VPN virtual server.

    add authnprofile <nfactor-profile-name> -authnvsName <authvserver>
    set vpn vserver <vserver-name> -authnprofile <nfactor-profile-name​>
    

Sample configuration

```

add authentication OAuthAction tmp-action -OAuthType INTUNE -clientid id 1204 -clientsecret a -audience “http://hello” -tenantid xxxx -issuer “https://hello” -userNameField upn -certEndpoint https://login.microsoftonline.com/common/discovery/v2.0/keys –resourceURI htpps://api.manage.microsoft.com

add authentication Policy oauth-intune-pol -rule true -action tmp-action bind authentication vserver auth-vs-for-gw1-intune -policy oauth-pol -priority 2 -gotoPriorityExpression END

add authentication loginSchema oauth-loginschema -authenticationSchema “/nsconfig/loginschema/LoginSchema/OnlyOAuthToken.xml”

add authentication loginSchemaPolicy oauth-loginschema-pol -rule true -action oauth-loginschema​`

bind authentication vserver auth-vs-for-gw1-intune -policy oauth-loginschema-pol -priority 2 -gotoPriorityExpression END

add authnprofile nfactor-prof-intune -authnvsName auth-vs-for-gw1-intune

set vpn vserver gw1-intune-authnprofile nfactor-prof-intune

Configuring Citrix Gateway Virtual Server for Microsoft ADAL Token Authentication