This post has already been read 27746 times!
Previous Articles in this series
Part 2 – Citrix FAS and StoreFront
Part 3 of this blog series will walk you through setting up your NetScaler Gateway authentication policies to hand off authentication to ADFS as well as setting up the NetScaler as an ADFS Proxy and binding this to your Externally Facing Content Switch.
SAML Authentication Policies
You will need to create a SAML Authentication Policy to bind to your NetScaler Gateway in order to hand off authentication to your ADFS Service.
Head to Security – AAA – Application Traffic – Policies – Authentication – Basic Policies – SAML
Select the Servers tab and click to Add your new SAML Server
Set up your SAML Server as shown below
NOTES
- The IDP Certificate Name and Signing Certificate name are being used as we replaces the Token Signing and Token Decrypting Certificate when setting up ADFS in Part 1 of this series
- The Redirect and Logout URL use the EXTERNAL FQDN for my ADFS Service with /adfs/ls/ tagged onto the end of the URL
- Issuer Name: This needs to be listed as a relying party in ADFS – if this is not listed SAML will not work and the authentication process will fail.
ADFS Signing Certificates
Relying Party
Click the MORE option before closing the SAML Server and check that the Signature Algorithm and Digest Method are set to SHA-256
Once you have the SAML Server defined create your SAML Policy with the expression ns_true and select your SAML Server you just created
Finally open up your Non-Addressable NetScaler Gateway VPN vServer that sits behind your Unified Gateway Content Switch, remove the LDAPS Authentication Policy you have bound there and bind the SAML Policy you have just created
ADFS Proxy
So we now want the NetScaler to act as a proxy server for all inbound ADFS traffic. Once again the Citrix Community came though on this any my friend Eric from XenApp Blog had already written a great post on configuring the NetScaler as an ADFS Proxy including a monitor that works!
http://xenappblog.com/2016/netscaler-adfs-proxy/
Once you have followed Eric’s post you should end up with a working ADFS vServer on your NetScaler
This vServer should have 2 Rewrite policies bound to it as per the post
You should also have a Content Switching policy created to redirect all inbound traffic using your external ADFS url (sts.bretty.me.uk) or any external url with the pattern /adfs in the url to your internal ADFS vServer
At this point you have the following in place:
- Internal ADFS Service
- Relying Party to handle the handover from NetScaler Gateway
- ADFS Proxy Configured and working
- External FQDN for ADFS
- Internal FQDN for ADFS
- NetScaler Gateway SAML Policy Bound to Gateway
- Citrix FAS Implemented and working
Testing External Access
You can get to your ADFS Service now using the external URL for your ADFS Service (in my case sts.bretty.local)
If you go to your external FQDN for your Unified Gateway (in my case ug.bretty.me.uk) it will redirect you to your ADFS Proxy. You should be able to sign into this using your UPN and ADFS will pass you back to the Unified Gateway as an authenticated user
From here you can access your Apps and Desktops and Launch assigned resources
If you want to check the Citrix FAS is working as expected you can open up the Certificate Authority and check the issued certificates
Testing Internal Access
Ensure that you have set up an internal namespace in DNS to point your NetScaler Unified Gateway dns name to the internal IP Address of your Content Switch
Once you have that in place you should be able to goto the fqdn for your NetScaler Unified Gateway internally. This will in turn hand you off to ADFS internally, authenticate you and pass you back to the Unified Gateway and display your apps and desktops
When Connecting your ADFS Service will more than likely prompt you with this
Just authenticate here with your domain credentials
We will sort this out later in the series when dealing with context aware authentication
ADFS will then hand you back to your unified gateway and you can get access to all your apps and desktops
That’s it for now – you can log into your NetScaler Unified Gateway using ADFS and SAML. Next we will look at integrating Microsoft Azure MFA into the mix then configuring Context Aware MFA
Part 4 – Microsoft Azure MFA Integration
Laters,
b@m
Pingback: Putting it all together – Citrix XenDesktop, ADFS, Azure MFA, NetScaler Unified Gateway and Citrix FAS – Part 2 | bretty.me.uk
Pingback: Citrix XenDesktop, ADFS, Azure MFA, NetScaler Unified Gateway and Citrix FAS – Part 3
Pingback: Front XenApp 7.11+ in Azure with NetScaler (Unified) Gateway 11.x.n | A Xendc Tech Blog – Unofficial!!!
Hey Dave.
Great post. I have a question regarding the certificates used for UG. In part one you used your Digicert Wildcard. I wanted to know would it be possible to use two certificates i.e. one for sts.domain.com and one for ug.domain.com instead of using wildcards.
both these certs (sts and ug) will be uploaded to Netscaler. On AD FS server the UG certificate with common name will be imported into the signature tab in the relying party trust section.
Would this approach work to setup this 6 part series?
Let me know your thoughts when you have a moment.
It should work so long as you enable SNI on the content switch
Dankie Dave
No problem.
Dave, great article. Excellent.
I have it set up exactly as per your article and it works just like yours. But when I try to re-use the SAML Auth for another app (eg Salesforce), it keeps redirecting back to the UG landing page once Salesforce is authenticated. When I set up the ADFS proxy without UG, (as per Erik’s blog) Salesforce works fine. Any thoughts on re-using the SAML authentication for other apps like this with UG?
The reason its redirecting is the responder policy bound to the vServer post authentication. You could change this and redirect to another vServer or bind multiple responder policies
There isn’t a responder policy there – however there is a default content switching policy that is deployed by the UG wizard that sends traffic back to the UG. I’ll try the reponder . Thanks