SAML through Netscaler to Citrix Storefront - anyone?
Hi All, we've been fighting with this setup for a while now and coming up empty handed so far. We have netscaler v11 (supports saml) connected to Okta. Then we have storefront 3.01 with xenapp 7.6. After version 7.x of xenapp citrix removed the ability to do saml auth all the way into storefront. There are guides out there to configure this but they generally require xenapp 6.5 which is out of support. I know this is more of a citrix question but I post it here just in case anyone has managed the type of setup we're going to attempt. SAML into the Netscaler, then non pass through auth (user is prompted for local AD domain credentials) to authenticate to storefront and xenapp. If you have this working another way let me know. We were going to try the radius route with SWA but can't due to some requirements in AD and with our project team.
Hi Everyone, original poster here. So here's what I've learned through much trial and error. For complete pass-through with SAML you simply cannot do this in xenapp 7.6. You can hack it with some http rewrites at the netscaler to do saml at the netscaler and then manual auth to xenapp but that's not too great. In the middle of this I emailed a person at Citrix who wrote the sold SAML article referencing XA 6.5 and SF 2.6. He remembered my email and sent over this link. Looks like XA 7.8 is going to maybe bring SAML back!
I'd also like to hear about the Native Receiver vs Web. How have people integrated Okta MFA (RADIUS) with native receivers? How are you handling the Okta AccessChallenge message that asks the user to select a mode?
HI everyone, we have it working and have implemented it with a customer as well. However you need to upgrade. 7.8 at the very least but 7.9 onwards is an easier implementation though you may not like the way it's configured. You need to use the new federated Authenication Service (FAS), which uses the only available supported method to authenticate with AD using SAML from Citrix authentication. Also, this is only for Reciever for Web, native client not supported yet. And we're seeing some issues with opening ICA files from OKTA Mobile on the latest version of Citrix XenDesktop/App and SF. Web site access is fine and passes completely through. FAS relies on Smart Card authentication through certificates so you'll need to secure this side of your infrastructure down heavily. Our set up is Netyscaler gateway > StoreFront 3.x > XenDesktop/App 7.12 > FAS > MS Certificate Services. There is allot of documentation on this now and it's growing everyday. Note, they won't be bringing back the old auth methods available in 6.x and prior so FAS is the only way if you want to use SAML with Citrix. I'm hopint they'll develop the functionality for native client.... it is possible as it works with other locally installed clients, e.g. BOMGAR.
Are you using FAS? Is this your first attempt at SAML or are you using SWA? Note that if using SAML there is not other way currently to authenticate correctly to Storefront and access aplications without FAS (Federated Authentication Service). The error reminds me of when I first attempted to set up SAML with Citrix so it may be that you either don't have FAS or you have missed a step in the permissions side of the configuration on the Certificate Authority. There has been a recent development in colloboration between OKTA and Citrix which I hope will iron out the bugs and hopefully produce a full set of guidelines. Also, Weve found one issue when using OKTA Mobile where the reciever app will simply not open ICA files, either using SAML or SWA, Native browsers work but OKTA have confirmed the OKTA Mobile app will not process ICA files currently. :(
Oh, and an update on the mention of collabotation with Citrix and OKTA... I've heard they are working on hybrid connections so that the native citrix app will hopefully work off SAML as well and not just the citrix web app... My hope it that this will progress to deep links passing through from Okta to Citrix apps directly. :)
It is possible using Okta to SAML into any version of Citrix. The solution would use both a SAML OAN and a SWA POST OAN. On the NetScaler you would bind both the SAML policy to Okta and then also bind a LDAP policy to NetScaler. The flow would be that when users try to login they are first rediredcted to Okta for the SAML auth, then when that is complete the LDAP login would be presented. Create and bind a response policy that redirects the LDAP login to the Okta POST OAN that will use the existing Okta session and sign the user in. The key is when creating the SAML auth on NetScaler there is a option to enable a second factor, this will use the LDAP policy bound to the VIP. The Response policy will call the Okat POST so that the users are not promped and get a SSO experience, and U/P is provided to Storefront.
That's an interesting method Lee, and would likely help those who are stuck on 7.6 versions. I’d still recommend upgrading to at least 7.9 (tested also on 7.10 and 7.12 successfully), as then you only need the one authentication source being SAML to OKTA. There is another method for SAML direct to store front now but it’s only for internal and I’ve not tested it to see if it works with the external method in place as well. Carl Stalhood has some great articles on this on the Citrix user group pages.
I've got SAML working on the Netscaler, it's passing the user through to the StoreFront correctly. The user's provisioned apps are displayed properly. At this point when a user clicks on a published app the windows login screen of our app server pops up. It eventually times out and fails to launch. It's as if the DC or VDA server isn't recognizing the authenticated user. IF I provide the credentials manually the app launches. Has anyone else experienced this?
SAML on Netscaler>StoreFront>Delivery Controller>VDA Servers
I've seen this (AD Agent sept 22), I'me trying to recall the issue but I do know I found out why from the windows logs. The issue was on the Authentication to the VDA's... possibliy an issue with the permissions configured on the FAS Servers. what version are you using for XenApp/Desktop and are there any errors on the windows logs of the VDA's or FAS servers?
I spoke with Citrix support and we had to enable a Group Policy setting on the client PC to enable 'Allow pass-through authentication for all ICA connections' to get this working. This isn't a suitable solution as we are not controlling all of the devces that access our Citrix portal. Some are personal PCs. Macs, iPads, etc. It seems as though the storefront doesn't retain the saml token from the Netscaler and can't pass it to the VDA server. They get around this by using pass through authentication. The SAML authentication is pointless in our set up. Maybe I'm missing something here. Can this be accomplished some other way? I would like the Citrix Portal / Netscaler secured by Okta so I can easily implement MFA.
I was able to resolve the issue by installing FAS. I was under the impression that this wasn't needed in the later releases. I followed this article, it looks worse than it is. http://www.carlstalhood.com/citrix-federated-authentication-service-saml/ SSO is functioning porperly now all the way down to the VDA servers. Thanks!