In Citrix Gateway 13.0
In Citrix Gateway
In All products
Product documentation
In Citrix Gateway 13.0
In Citrix Gateway
In All products
Citrix Gateway
Current Release 12.1
View PDF

Configuring Citrix Gateway Virtual Server for Microsoft ADAL Token Authentication

May 6, 2021
Contributed by: 
C

To configure a Citrix Gateway virtual server for monitoring Microsoft ADAL token authentication, you need the following information:

  • certEndpoint: The URL of the endpoint that contains the JSON Web Key (JWK) for ADAL token verification.
  • Audience: FQDN of the Citrix ADC virtual server to which the app sends the ADAL token.
  • Issuer: Name of the AAD issuer. Gets populated by default.
  • TenantID: Tenant ID for Azure ADAL registration.
  • ClientID: A unique ID given to the Gateway app as part of ADAL registration.
  • ClientSecret: A secret key given to the Gateway app as part of ADAL registration.
  • ResourceURI: An optional parameter to capture the resource URI. If not configured, Citrix ADC uses Azure commercial resource URI.

Perform the following steps using the command line interface:

  1. Create an OAuth action.

    add authentication OAuthAction <oauth-action-name> -OAuthType <INTUNE> –clientid <clientID> -clientsecret <client-secret> -audience <audience name> -tenantid <tenantID> -issuer <issuer-name> -userNameField <upn> -certEndpoint <certEndpoint-name> -resourceURI <name of resource URI>

  2. Create an authentication policy to associate with the newly created OAuth action.

    add authentication Policy <policy-name> -rule <true> -action <oauth intune action>

  3. Bind the newly created OAuth to AuthVS.

    bind authentication vserver <auth-vserver> -policy <oauth-intune-policy> -priority 2 -gotoPriorityExpression END

  4. Create a LoginSchema.

    add authentication loginSchema <loginSchemaName> -authenticationSchema <authenticationSchema”location”>
add authentication loginSchemaPolicy <loginSchemaPolicyName> -rule true -action <loginSchemaName>

  5. Bind AuthVS with LoginSchema.

    bind authentication vserver <auth-vs> -policy <oauth-pol> -priority 2 -gotoPriorityExpression END

  6. Add an authentication profile and assign it to a VPN virtual server.

    add authnprofile <nfactor-profile-name> -authnvsName <authvserver>
set vpn vserver <vserver-name> -authnprofile <nfactor-profile-name​>

Sample configuration

add authentication OAuthAction tmp-action -OAuthType INTUNE -clientid id 1204 -clientsecret a -audience "[http://hello](http://hello/)" -tenantid xxxx -issuer "[https://hello](https://hello/)" -userNameField upn -certEndpoint https://login.microsoftonline.com/common/discovery/v2.0/keys --resourceURI htpps://api.manage.microsoft.com

add authentication Policy oauth-intune-pol -rule true -action tmp-action
bind authentication vserver auth-vs-for-gw1-intune -policy oauth-pol -priority 2 -gotoPriorityExpression END

add authentication loginSchema oauth-loginschema -authenticationSchema "/nsconfig/loginschema/LoginSchema/OnlyOAuthToken.xml"

add authentication loginSchemaPolicy oauth-loginschema-pol -rule true -action oauth-loginschema​`

bind authentication vserver auth-vs-for-gw1-intune -policy oauth-loginschema-pol -priority 2 -gotoPriorityExpression END

add authnprofile nfactor-prof-intune -authnvsName auth-vs-for-gw1-intune

set vpn vserver gw1-intune-authnprofile nfactor-prof-intune
Configuring Citrix Gateway Virtual Server for Microsoft ADAL Token Authentication
May 6, 2021
Contributed by: 
C
May 6, 2021
Contributed by: 
C

In this article

Site feedback | Privacy and legal terms | Cookie preferences | Consent settings
© 1999- Citrix Systems, Inc. All rights reserved.