Federated Authentication Service ADFS deployment
This document describes how to integrate a Citrix environment with Microsoft ADFS.
Many organizations use ADFS to manage secure user access to web sites that require a single point of authentication. For example, a company may have additional content and downloads that are available to employees; those locations need to be protected with standard Windows logon credentials.
The Federated Authentication Service (FAS) also allows Citrix NetScaler and Citrix StoreFront to be integrated with the ADFS logon system, reducing potential confusion for the company’s staff.
This deployment integrates NetScaler as a relying party to Microsoft ADFS.
Security Assertion Markup Language (SAML) is a simple “redirect to a logon page” web browser logon system. Configuration includes the following items:
When NetScaler discovers that a user needs to be authenticated, it instructs the user’s web browser to do a HTTP POST to a SAML logon webpage on the ADFS server. This is usually an
https:// address of the form:
This web page POST includes other information, including the “return address” where ADFS will return the user when logon is complete.
The EntityId is a unique identifier that NetScaler includes in its POST data to ADFS. This informs ADFS which service the user is trying to log on to, and to apply different authentication policies as appropriate. If issued, the SAML authentication XML will only be suitable for logging on to the service identified by the EntityId.
Usually, the EntityID is the URL of the NetScaler server logon page, but it can generally be anything, as long as NetScaler and ADFS agree on it:
If authentication is successful, ADFS instructs the user’s web browser to POST a SAML authentication XML back to one of the Reply URLs that are configured for the EntityId. This is usually an
https:// address on the original NetScaler server in the form:
If there is more than one Reply URL address configured, NetScaler can choose one in its original POST to ADFS.
ADFS cryptographically signs SAML authentication XML blobs using its private key. To validate this signature, NetScaler must be configured to check these signatures using the public key included in a certificate file. The certificate file will usually be a text file obtained from the ADFS server.
ADFS and NetScaler support a “central logout” system. This is a URL that NetScaler polls occasionally to check that the SAML authentication XML blob still represents a currently logged-on session.
This is an optional feature that does not need to be configured. It is usually an
https:// address in the form
https://adfs.mycompany.com/adfs/logout. (Note that it can be the same as the Single Logon URL.)
The NetScaler Gateway deployment section in the Federated Authentication Services architectures article describes how to set up NetScaler Gateway to handle standard LDAP authentication options, using the XenApp and XenDesktop NetScaler setup wizard. After that completes successfully, you can create a new authentication policy on NetScaler that allows SAML authentication. This can then replace the default LDAP policy used by the NetScaler setup wizard.
Configure the new SAML IdP server using information taken from the ADFS management console earlier. When this policy is applied, NetScaler redirects the user to ADFS for logon, and accepts an ADFS-signed SAML authentication token in return.
- The Federated Authentication Service article is the primary reference for FAS installation and configuration.
- The common FAS deployments are summarized in the Federated Authentication Service architectures overview article.
- “How-to” articles are introduced in the Federated Authentication Service configuration and management article.