This post has already been read 102703 times!
Whilst attending Citrix Synergy this year and chatting to some of my colleagues I got involved in a conversation around using your Google or Gmail account to log into your Citrix Unified Gateway and then being able to launch your Apps and Desktops without having to sign into AD and just using your Google account. This really sparked an interest with me so I decided to build it out in my lab.
I was shown this article by Eric from xenappblog.com
and I have to say – its great! It does however use XenApp 6.5 for the Kerberos Constraint Deligation (KCD). This was an issue for me as I don’t run XenApp 6.5 in my lab and didn’t really want to spin up a new environment just to test.
Welcome Federated Authentication Service for XenApp and XenDesktop!
With the release of XenDesktop 7.9 Citrix have introduced the ability to use federation with XenApp and XenDesktop. If you want more information on it read this post
So, the purpose of this post is to walk you through the process of setting up XenDesktop 7.9 and Federated Authentication Services to allow access to your Apps and Desktops using your Google Account.
My Setup
I have added an additional URL for the specific purpose of giving to customers who wish to use Google to sign into my gateway. The existing URL for regular access will remain the same.
- ug.bretty.me.uk – normal access to Unified Gateway
- login.bretty.me.uk – Google account access to Unified Gateway
I am going to use content switching policies to define where the user goes based on URL, but more on that later.
Google Setup
The first thing you will need to do is set up a Google API to allow access to the Google oAuth system from your NetScaler.
Head over to https://console.developers.google.com/apis and sign in with your Google account
Select Credentials and then create a new OAuth client ID
Select Web application, give it a name and enter the JavaScript Origin and redirect URLs as shown below. NOTE: This will be the URL that you are going to give your users to access the Unified Gateway using their Google credentials
Click create and Google will go ahead and create your new oAuth Client, it will display the Client ID and Client Secret – copy these into a text file as you will need them later on!
The Google oAuth Policy on Citrix NetScaler
You will now need to instruct the NetScaler to authenticate you with the Google oAuth Services. Log into your NetScaler and navigate to Security – AAA Application Traffic – Policies – Authentication – Basic Policies – OAuth
Click Add to insert a new policy
Give the policy a name, fill out your Client ID and Client Secret you saved earlier and enter the following information in the Authorization Endpoint, Token Endpoint and ID Token Decrypt Endpoint fields
Authorization Endpoint: https://accounts.google.com/o/oauth2/auth?client_id=YOUR_CLIENT_ID&response_type=code&scope=openid%20email Token Endpoint: https://accounts.google.com/o/oauth2/token ID Token Decrypt Endpoint: https://www.googleapis.com/oauth2/v1/tokeninfo
Click ok to create the policy
Next navigate to Security – AAA Application Traffic – Policies – Authentication – Advanced Policies – Policy and click add to insert your new policy
Give your policy a name, set the action type to OAUTH and select your new action from the drop down list. For the expression type in true
The AAA vServer
Next you will need to bind your new policy to an AAA vServer for authentication. This is where we will pass the incoming requests for login.bretty.me.uk for authentication, then hand them back to the NetScaler Unified Gateway from there.
Navigate to Security – AAA Application Traffic – Virtual Servers and Add a new Virtual Server
Give your Virtual Server a name, a free IP Address and assign the relevant certificate for the domain you are going to give you users (login.bretty.me.uk). Then add an Advanced Authentication Policy and select your new Google oAuth Policy.
We now need to create a Load Balancing vServer to act as a pass through for the Content Switch and AAA vServer.
The Load Balancing vServer
Navigate to Traffic Management – Load Balancing – Virtual Servers and click Add to configure your new Virtual Server.
Give you vServer a name and a free IP Address, assign the same certificate that you gave to your AAA vServer and bind it to an “Always Up” Service. Essentially this is a service configured on the NetScaler that will not go down. Just define a new service on the NetScaler to ping itself (127.0.0.1)
You now need to add you Authentication vServer to the Load Balancing vServer. Add Authentication from the options on the right hand side of the screen and select form based authentication.
Fill out auth.h.1 as the Authentication FQDN, select Authentication Virtual Server from the drop down and select your AAA vServer from the list provided
The final thing you will need to do is add a responder policy to the vServer to forward you to the vpn login page. This is because after authentication from Google you will be passed back to the root of the vServer and you want to forward the user to the NetScaler Gateway with the AAA credentials for SSO.
Click Policies and click on Add. Select Responder from the list, give the policy a name and click the + to add an action.
Give the action a name, the type will be Redirect and the expression will be the following:
"https://YOUR_URL_FOR_LOGIN/vpn/index.html"
Set the Response Status Code to 302 and click on OK. This will take you back to the policy screen
For the policy Expression enter the following:
"http.req.url.eq("/")
Click ok and thats it for the vServer.
Bind the vServer to the AAA vServer
Navigate to Security – AAA Application Traffic – Virtual Servers and open up your AAA vServer
Scroll down until you see Form Based Virtual Servers and ensure that your vServer is listed there, if it is not then bind it to the AAA Server
Content Switching Policies
At this stage you have your Google Authentication Provider set up, your AAA vServer and Load Balancing vServer set up and linked and your responder policy to forward your users to the NetScaler Gateway once authenticated. You now need to set up your Content Switching Policies to direct the traffic the way you want.
This is what I am trying to achieve.
- If a user types in ug.bretty.me.uk then go straight to my NetScaler Gateway
- If the url hitting the Content Switch contains any of the AAA Traffic, “/cvpn” in the URL or “/citrix” in the URL then direct them to the NetScaler Gateway
- If a user types in login.bretty.me.uk then go to my Load Balanced vServer (AAA Auth vServer is attached to this – and will redirect to Google for authentication)
I am going to achieve this my using 2 Content Switching policies and a Default vServer on the Content Switch.
Navigate to Traffic Management – Content Switching – Actions and create an action to redirect traffic to your NetScaler Gateway
Navigate to Traffic Management – Content Switching – Policies
Create a policy with the following expression:
HTTP.REQ.URL.PATH.SET_TEXT_MODE(IGNORECASE).STARTSWITH("/cvpn") || HTTP.REQ.URL.PATH.SET_TEXT_MODE(IGNORECASE).STARTSWITH("/citrix") || HTTP.REQ.URL.CONTAINS_ANY("aaa_path") ||
HTTP.REQ.HOSTNAME.CONTAINS("ug.bretty.me.uk")
Substitute your URL’s in place of mine
Bind this policy to your action you created in the previous step.
Next open up your Content Switch and locate the Content Switching Policy Binding section.
Bind your policy as a priority of 100
Set your Load Balancing vServer as the Default Load Balancing Virtual Server
Unbind the SSO Domain in the NetScaler Gateway Session Policy
Locate the Web session policy assigned to your NetScaler Gateway and under the published applications tab, remove the SSO Domain name
At this point your NetScaler should be configured to direct the traffic for ug.bretty.me.uk and login.bretty.me.uk to different login providers. Lets test that.
ug.bretty.me.uk
login.bretty.me.uk
Looking good. So, lets move onto configuring StoreFront (needs to be version 3.6)
StoreFront Configuration
The first thing you will need to do is set the StoreFront to accept incoming connections from your new NetScaler (URL)
Click on Manage NetScaler Gateways and add a new gateway for your Google URL (login.bretty.me.uk)
Make sure you add a callback URL for the gateway
Then enable remote access to your store from your new NetScaler
Next you will have to enable Smart Card authentication to your store. Click on Manage Authentication Methods and enable Smart Card
Next under the options for Pass Through from NetScaler Gateway select Configure Delegated Authentication
Select to Fully Delegate Credential Validation to NetScaler Gateway
Finally you need to enable Smart Card authentication on your Receiver for Web site. Configure your site you are using for Unified Gateway and select to allow Smart Card Authentication
That’s StoreFront configured. The final piece is to configure the Citrix Federated Authenticated Service to allow for federated authentication to the XenDesktop delivery Groups for SSO.
Citrix Federated Authentication Service
I am not going to re-invent the wheel here as I think Citrix have done a great job in documenting this install procedure! The install is relatively simple and quick to complete.
You can find the install guide here:
https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-9/secure/federated-authentication-service.html
Once complete you should see the following screen(s)
Once this is done its time to test!!
Direct to ug.bretty.me.uk
First lets check we are NOT signed into Google
No – ok lets log into the Unified Gateway using the ug.bretty.me.uk URL
Once Logged in we can navigate to our apps and desktops
Quickly check that we have not been signed into Google
No, ok lets launch a desktop
That’s great – out original NetScaler Unified Gateway is working as expected. Now lets test with Google as an authentication Method.
Using login.bretty.me.uk
First lets make sure we are not signed into Google
Then I type login.bretty.me.uk into my browser and I am redirected here
Once I sign in the token is handed back to the NetScaler and I am presented with this
If I refresh my Google page you will see that I am now signed into my Google Account
If I click on clientless access StoreFront will enumerate my apps and desktops for me
Lets launch a desktop
Excellent – all working. I have logged into the Unified Gateway using my Google account and been signed into StoreFront and my desktop using Federated Services.
To ensure it doing what I think it is I have logged out of my desktop but left myself logged into Unified Gateway.
I am going to Stop the Citrix Federated Authentication Service and try to re-launch the desktop.
Desktop unable to launch
And that’s it. How to log into your NetScaler Unified Gateway with your Google Credentials and SSO to your Apps and Desktops.
Hope this helps some of you out.
Laters,
b@m
Thanks for this! Very useful!
No problem Lee
Hi Dave
Just got this working in my lab – thanks for taking the time to write and share this.
Darren
Pleasure mate, glad it helped you out a little!
Pingback: EUC Weekly Digest – June 11, 2016 – Carl Stalhood
Thanks for this write up. I am having one issue with it. After I set this up and I login (via google) I get “Error trying to validate Access Token.” ANy thoughts on where to troubleshoot this issue?
Pingback: Citrix NetScaler, Citrix XenDesktop 7.9, Google Accounts and FAS for XenDesktop |IT News
What did you need to do to the Gateway. I just get redirected to a login page of my gateway after google auth.
Hi Dave,
This is what i am looking for and thanks for sharing !!
I would like to try it with different identity provider(like ADFS or SecureAuth) other than Google. Any thoughts on this.
Regards,
Shrikant
I have a blog series up already on ADFS. Should be able to follow that on here.
Thanks for the reply.
The blog series you mentioned is mainly targets SAML authentication and i’m looking for OAuth authentication with NetScalar(where ADFS should be the identity provider.).