Citrix Gateway and Google oAuth (Updated and Easier!)

Citrix Gateway and Google oAuth (Updated and Easier!)

Citrix Gateway and Google oAuth (Updated and Easier!)

This post has already been read 956 times!

I have written about this before, in fact many times, but recently I was put in touch with someone that was having issues getting their Citrix Gateway working with Google for authentication. The last time I wrote about this it was a pretty complicated thing to get it all set up and running properly with all the content switching and load balancer offloading required. The reason I wanted to re-post about this is that things have got much easier, and in the world of ADC that is always a good thing!

What this post will show you is how to “easily” set up your Citrix Gateway to use Google as the identity provider and will hopefully act as a point of reference for the many who have asked me about configuring this in their environment.

This post assumes that you have already got Citrix Federated Authentication set up and running properly and that you have a Citrix Gateway built and configured with some form of external authentication. If you don’t have these in place then you will need them before you continue here.

The external FQDN for my gateway in my lab is workspace.bretty.me.uk so we will be using that as the external entry point for the remainder of this post.

The first thing you will need to do is create a Google OAuth 2.0 Client ID to allow your gateway to offload authentication. Head over to the Google API Console and log in with your Google Credentials.

google_api

Set up the OAuth Consent Screen by clicking on the link on the left. You need to configure this to allow the ADC to offload. First give it a name

app_name

Set the scope to either internal or external depending on your organisation needs, then add the top level domain that you will be sending the requests from. In my case thats bretty.me.uk

scope

Next click on Credentials on the left and click to add a new OAuth 2.0 Client ID. Give it a name

cred_name

Then add the Authorised Javascript Origins and Authorised redirect URIs as shown below. The Javascript one will be the external URI you use for your gateway (https://yourgateway.domain.com) and the Authorised redirect will be the same but with /oauth/login on the end

origins

Click on create. This will give you a Client ID and Secret, make sure you save these as you will need them later on when we create the OAuth policy on the ADC.

secret

Once done you will see your new OAuth 2.0 Client ID created. Thats it on the Google Side.

finished

Next is to configure the ADC. Log into your ADC and head over to the Advanced Authentication Actions

oauth_actions

Click to create a new OAuth Server and paste your Client ID and Secret into the fields provided. You will also need to fill out the following details substituting your own Client ID where applicable.

Authorization Endpoint: https://accounts.google.com/o/oauth2/auth?client_id=YOUR_CLIENT_ID&response_type=code&scope=openid%20email

Token Endpoint: https://accounts.google.com/o/oauth2/token

ID Token Decrypt Endpoint: https://www.googleapis.com/oauth2/v1/tokeninfo
server_created
created

Once you have created the OAuth Server head to the Advanced Authentication Policies

policy

Here you can create a new policy and link it to your new OAuth Server

done_policy

Next you need to create a new AAA Virtual Server to offload authentication to so head over to create a new one

aaa_vserver

Click to add a new Virtual Server, give it a name and make it Non Addressable (we don’t need an IP here as the ADC will handle the traffic flow). You will also have to bind the same certificate you have on your gateway to the AAA Virtual Server.

When it asks about Authentication Policies you will want to bind your new Advanced Authentication Policy you created earlier

aaa_done

Once done you will see your new AAA Virtual Server created and in an “UP” state

all_up

Next we will be creating a new Authentication Profile to bind to your Citrix Gateway

auth_prof

Click to create a new Authentication Profile, give it a name, put your external FQDN as the authentication host and select your new AAA Virtual Server

auth_prof_detail

Click OK to create the new Authentication Profile. Finally you can open up your Citrix Gateway, unbind ALL Basic Authentication Policies and bind your new Authentication Profile

bound

Thats it! No Content Switching Policies, No Virtual Server Offload, you are now set up to use Google as your IDP for your Citrix Gateway.

Here is a video of it in action.

Thanks for reading!

Dave

One thought on “Citrix Gateway and Google oAuth (Updated and Easier!)

  1. Dave Hood

    This is fantastic Dave – many thanks for your hard work. I’ve pretty much got it all going thanks to your guide.

    Couple of qs:

    1. One thing i noticed was that when i sign into the gateway website then connect, launch app etc and logout (closing browser) – when i go back to http://www.blahdeblah.com it automatically signs me in without prompting for the google ID again – only way to get the login prompt again is clear the cookies in the browser. Is there any way to get it to re-prompt every time? Maybe that’s in the google settings i suppose….

    2. Do you know if this works with receiver/workspace?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.