StoreFront

Federated Authentication Service Configuration

When using authentication methods such as SAML, where the user does not enter their credentials directly into Citrix Workspace app, by default it is not possible to single sign-on into VDAs. In these cases, you can use Federated Authentication Service (FAS) to provide single sign-on to VDAs using certificate authentication. To use FAS with StoreFront, you must configure StoreFront using the PowerShell SDK. Use Set-STFClaimsFactoryNames to set the claims factory to FASClaimsFactory and use Set-STFStoreLaunchOptions to set the VDA logon data logon provider to FASLogonDataProvider. For example:

$store = Get-STFStoreService -VirtualPath [VirtualPath]
$auth = Get-STFAuthenticationService -StoreService $store
Set-STFClaimsFactoryNames -AuthenticationService $auth -ClaimsFactoryName "FASClaimsFactory"
Set-STFStoreLaunchOptions -StoreService $store -VdaLogonDataProvider "FASLogonDataProvider"
<!--NeedCopy-->

Substitute [VirtualPath] for the appropriate virtual path, e.g. /Citrix/Store.

FAS server unavailability

If the FAS server is unavailable the launch fails by default. However, you can configure StoreFront such that if the FAS server is unavailable, users can sign on to the VDA by entering their credentials. You can use the following Powershell command to enable this configuration.

Set-STFStoreLaunchOptions with parameter FederatedAuthenticationServiceFailover

For more information, see Developer Documentation.

Disable FAS for a store

To disable FAS for a store:

$store = Get-STFStoreService -VirtualPath [VirtualPath]
$auth = Get-STFAuthenticationService -StoreService $store
Set-STFClaimsFactoryNames -AuthenticationService $auth -ClaimsFactoryName "standardClaimsFactory"
Set-STFStoreLaunchOptions -StoreService $store -VdaLogonDataProvider ""
<!--NeedCopy-->

To configure the list of FAS servers and other settings you must use Group policy. For more details see FAS documentation.

Federated Authentication Service Configuration