This post has already been read 956 times!
I have written about this before, in fact many times, but recently I was put in touch with someone that was having issues getting their Citrix Gateway working with Google for authentication. The last time I wrote about this it was a pretty complicated thing to get it all set up and running properly with all the content switching and load balancer offloading required. The reason I wanted to re-post about this is that things have got much easier, and in the world of ADC that is always a good thing!
What this post will show you is how to “easily” set up your Citrix Gateway to use Google as the identity provider and will hopefully act as a point of reference for the many who have asked me about configuring this in their environment.
This post assumes that you have already got Citrix Federated Authentication set up and running properly and that you have a Citrix Gateway built and configured with some form of external authentication. If you don’t have these in place then you will need them before you continue here.
The external FQDN for my gateway in my lab is workspace.bretty.me.uk so we will be using that as the external entry point for the remainder of this post.
The first thing you will need to do is create a Google OAuth 2.0 Client ID to allow your gateway to offload authentication. Head over to the Google API Console and log in with your Google Credentials.
Set up the OAuth Consent Screen by clicking on the link on the left. You need to configure this to allow the ADC to offload. First give it a name
Set the scope to either internal or external depending on your organisation needs, then add the top level domain that you will be sending the requests from. In my case thats bretty.me.uk
Next click on Credentials on the left and click to add a new OAuth 2.0 Client ID. Give it a name
Click on create. This will give you a Client ID and Secret, make sure you save these as you will need them later on when we create the OAuth policy on the ADC.
Once done you will see your new OAuth 2.0 Client ID created. Thats it on the Google Side.
Next is to configure the ADC. Log into your ADC and head over to the Advanced Authentication Actions
Click to create a new OAuth Server and paste your Client ID and Secret into the fields provided. You will also need to fill out the following details substituting your own Client ID where applicable.
Authorization Endpoint: https://accounts.google.com/o/oauth2/auth?client_id=YOUR_CLIENT_ID&response_type=code&scope=openid%20email Token Endpoint: https://accounts.google.com/o/oauth2/token ID Token Decrypt Endpoint: https://www.googleapis.com/oauth2/v1/tokeninfo
Once you have created the OAuth Server head to the Advanced Authentication Policies
Here you can create a new policy and link it to your new OAuth Server
Next you need to create a new AAA Virtual Server to offload authentication to so head over to create a new one
Click to add a new Virtual Server, give it a name and make it Non Addressable (we don’t need an IP here as the ADC will handle the traffic flow). You will also have to bind the same certificate you have on your gateway to the AAA Virtual Server.
When it asks about Authentication Policies you will want to bind your new Advanced Authentication Policy you created earlier
Once done you will see your new AAA Virtual Server created and in an “UP” state
Next we will be creating a new Authentication Profile to bind to your Citrix Gateway
Click to create a new Authentication Profile, give it a name, put your external FQDN as the authentication host and select your new AAA Virtual Server
Click OK to create the new Authentication Profile. Finally you can open up your Citrix Gateway, unbind ALL Basic Authentication Policies and bind your new Authentication Profile
Thats it! No Content Switching Policies, No Virtual Server Offload, you are now set up to use Google as your IDP for your Citrix Gateway.
Here is a video of it in action.
Thanks for reading!