Federated Authentication Service ADFS deployment


This document describes how to integrate a Citrix environment with Microsoft ADFS.

Many organizations use ADFS to manage secure user access to web sites that require a single point of authentication. For example, a company may have additional content and downloads that are available to employees; those locations need to be protected with standard Windows logon credentials.

The Federated Authentication Service (FAS) also allows Citrix NetScaler and Citrix StoreFront to be integrated with the ADFS logon system, reducing potential confusion for the company’s staff.

This deployment integrates NetScaler as a relying party to Microsoft ADFS.

localized image

SAML overview

Security Assertion Markup Language (SAML) is a simple “redirect to a logon page” web browser logon system. Configuration includes the following items:

Redirect URL [Single Sign-on Service Url]

When NetScaler discovers that a user needs to be authenticated, it instructs the user’s web browser to do a HTTP POST to a SAML logon webpage on the ADFS server. This is usually an https:// address of the form: https://adfs.mycompany.com/adfs/ls.

This web page POST includes other information, including the “return address” where ADFS will return the user when logon is complete.

Identifier [Issuer Name/EntityID]

The EntityId is a unique identifier that NetScaler includes in its POST data to ADFS. This informs ADFS which service the user is trying to log on to, and to apply different authentication policies as appropriate. If issued, the SAML authentication XML will only be suitable for logging on to the service identified by the EntityId.

Usually, the EntityID is the URL of the NetScaler server logon page, but it can generally be anything, as long as NetScaler and ADFS agree on it: https://ns.mycompany.com/application/logonpage.

Return address [Reply URL]

If authentication is successful, ADFS instructs the user’s web browser to POST a SAML authentication XML back to one of the Reply URLs that are configured for the EntityId. This is usually an https:// address on the original NetScaler server in the form: https://ns.mycompany.com/cgi/samlauth.

If there is more than one Reply URL address configured, NetScaler can choose one in its original POST to ADFS.

Signing certificate [IDP Certificate]

ADFS cryptographically signs SAML authentication XML blobs using its private key. To validate this signature, NetScaler must be configured to check these signatures using the public key included in a certificate file. The certificate file will usually be a text file obtained from the ADFS server.

Single sign-out Url [Single Logout URL]

ADFS and NetScaler support a “central logout” system. This is a URL that NetScaler polls occasionally to check that the SAML authentication XML blob still represents a currently logged-on session.

This is an optional feature that does not need to be configured. It is usually an https:// address in the form https://adfs.mycompany.com/adfs/logout. (Note that it can be the same as the Single Logon URL.)


The NetScaler Gateway deployment section in the Federated Authentication Services architectures article describes how to set up NetScaler Gateway to handle standard LDAP authentication options, using the XenApp and XenDesktop NetScaler setup wizard. After that completes successfully, you can create a new authentication policy on NetScaler that allows SAML authentication. This can then replace the default LDAP policy used by the NetScaler setup wizard.

localized image

Fill in the SAML policy

Configure the new SAML IdP server using information taken from the ADFS management console earlier. When this policy is applied, NetScaler redirects the user to ADFS for logon, and accepts an ADFS-signed SAML authentication token in return.

localized image

Federated Authentication Service ADFS deployment