ADFS deployment


This document describes how to integrate a Citrix environment with Microsoft ADFS.

Many organizations use ADFS to manage secure user access to web sites that require a single point of authentication. For example, a company may have additional content and downloads that are available to employees; those locations need to be protected with standard Windows logon credentials.

Federated Authentication Service (FAS) also allows Citrix Gateway and Citrix StoreFront to be integrated with the ADFS logon system, reducing potential confusion for the employees.

This deployment integrates Citrix Gateway as a relying party to Microsoft ADFS.

localized image


There are no differences if the back end resource is either Windows VDA or Linux VDA.

SAML overview

Security Assertion Markup Language (SAML) is a simple “redirect to a logon page” web browser logon system. Configuration includes the following items:

Redirect URL [Single Sign-on Service Url]

When Citrix Gateway discovers that a user needs to be authenticated, it instructs the user’s web browser to do a HTTP POST to a SAML logon webpage on the ADFS server. This is usually an https:// address of the form:

This web page POST includes other information, including the “return address” where ADFS will return the user when logon is complete.

Identifier [Issuer Name/EntityID]

The EntityId is a unique identifier that Citrix Gateway includes in its POST data to ADFS. This informs ADFS which service the user is trying to log on to, and to apply different authentication policies as appropriate. If issued, the SAML authentication XML will only be suitable for logging on to the service identified by the EntityId.

Usually, the EntityID is the URL of the Citrix Gateway server logon page, but it can generally be anything, as long as Citrix Gateway and ADFS agree on it:

Return address [Reply URL]

If authentication is successful, ADFS instructs the user’s web browser to POST a SAML authentication XML back to one of the Reply URLs that are configured for the EntityId. This is usually an https:// address on the original Citrix Gateway server in the form:

If there is more than one Reply URL address configured, Citrix Gateway can choose one in its original POST to ADFS.

Signing certificate [IDP Certificate]

ADFS cryptographically signs SAML authentication XML blobs using its private key. To validate this signature, Citrix Gateway must be configured to check these signatures using the public key included in a certificate file. The certificate file will usually be a text file obtained from the ADFS server.

Single sign-out Url [Single Logout URL]

ADFS and Citrix Gateway support a “central logout” system. This is a URL that Citrix Gateway polls occasionally to check that the SAML authentication XML blob still represents a currently logged-on session.

This is an optional feature that does not need to be configured. It is usually an https:// address in the form (Note that it can be the same as the Single Logon URL.)


The section Citrix Gateway deployment describes how to set up Citrix Gateway to handle standard LDAP authentication options. After that completes successfully, you can create a new authentication policy on Citrix Gateway that allows SAML authentication. This can then replace the default LDAP policy used by the Citrix Gateway wizard.

localized image

Fill in the SAML policy

Configure the new SAML IdP server using information taken from the ADFS management console earlier. When this policy is applied, Citrix Gateway redirects the user to ADFS for logon, and accepts an ADFS-signed SAML authentication token in return.

localized image

ADFS deployment