Putting it all together – Citrix XenDesktop, ADFS, Azure MFA, NetScaler Unified Gateway and Citrix FAS – Part 3

Putting it all together – Citrix XenDesktop, ADFS, Azure MFA, NetScaler Unified Gateway and Citrix FAS – Part 3

Putting it all together – Citrix XenDesktop, ADFS, Azure MFA, NetScaler Unified Gateway and Citrix FAS – Part 3

This post has already been read 28352 times!

Previous Articles in this series

Part 1 – ADFS

Part 2 – Citrix FAS and StoreFront

Part 3 of this blog series will walk you through setting up your NetScaler Gateway authentication policies to hand off authentication to ADFS as well as setting up the NetScaler as an ADFS Proxy and binding this to your Externally Facing Content Switch.

SAML Authentication Policies

You will need to create a SAML Authentication Policy to bind to your NetScaler Gateway in order to hand off authentication to your ADFS Service.

Head to Security – AAA – Application Traffic – Policies – Authentication – Basic Policies – SAML

Select the Servers tab and click to Add your new SAML Server

Set up your SAML Server as shown below



  • The IDP Certificate Name and Signing Certificate name are being used as we replaces the Token Signing and Token Decrypting Certificate when setting up ADFS in Part 1 of this series
  • The Redirect and Logout URL use the EXTERNAL FQDN for my ADFS Service with /adfs/ls/ tagged onto the end of the URL
  • Issuer Name: This needs to be listed as a relying party in ADFS – if this is not listed SAML will not work and the authentication process will fail.

ADFS Signing Certificates


Relying Party


Click the MORE option before closing the SAML Server and check that the Signature Algorithm and Digest Method are set to SHA-256


Once you have the SAML Server defined create your SAML Policy with the expression ns_true and select your SAML Server you just created


Finally open up your Non-Addressable NetScaler Gateway VPN vServer that sits behind your Unified Gateway Content Switch, remove the LDAPS Authentication Policy you have bound there and bind the SAML Policy you have just created


ADFS Proxy

So we now want the NetScaler to act as a proxy server for all inbound ADFS traffic.  Once again the Citrix Community came though on this any my friend Eric from XenApp Blog had already written a great post on configuring the NetScaler as an ADFS Proxy including a monitor that works!


Once you have followed Eric’s post you should end up with a working ADFS vServer on your NetScaler


This vServer should have 2 Rewrite policies bound to it as per the post


You should also have a Content Switching policy created to redirect all inbound traffic using your external ADFS url (sts.bretty.me.uk) or any external url with the pattern /adfs in the url to your internal ADFS vServer


At this point you have the following in place:

  • Internal ADFS Service
  • Relying Party to handle the handover from NetScaler Gateway
  • ADFS Proxy Configured and working
  • External FQDN for ADFS
  • Internal FQDN for ADFS
  • NetScaler Gateway SAML Policy Bound to Gateway
  • Citrix FAS Implemented and working

Testing External Access

You can get to your ADFS Service now using the external URL for your ADFS Service (in my case sts.bretty.local)


If you go to your external FQDN for your Unified Gateway (in my case ug.bretty.me.uk) it will redirect you to your ADFS Proxy.  You should be able to sign into this using your UPN and ADFS will pass you back to the Unified Gateway as an authenticated user



From here you can access your Apps and Desktops and Launch assigned resources


If you want to check the Citrix FAS is working as expected you can open up the Certificate Authority and check the issued certificates


Testing Internal Access

Ensure that you have set up an internal namespace in DNS to point your NetScaler Unified Gateway dns name to the internal IP Address of your Content Switch


Once you have that in place you should be able to goto the fqdn for your NetScaler Unified Gateway internally.  This will in turn hand you off to ADFS internally, authenticate you and pass you back to the Unified Gateway and display your apps and desktops

When Connecting your ADFS Service will more than likely prompt you with this


Just authenticate here with your domain credentials

We will sort this out later in the series when dealing with context aware authentication

ADFS will then hand you back to your unified gateway and you can get access to all your apps and desktops


That’s it for now – you can log into your NetScaler Unified Gateway using ADFS and SAML.  Next we will look at integrating Microsoft Azure MFA into the mix then configuring Context Aware MFA

Part 4 – Microsoft Azure MFA Integration




10 thoughts on “Putting it all together – Citrix XenDesktop, ADFS, Azure MFA, NetScaler Unified Gateway and Citrix FAS – Part 3

  1. Pingback: Putting it all together – Citrix XenDesktop, ADFS, Azure MFA, NetScaler Unified Gateway and Citrix FAS – Part 2 | bretty.me.uk

  2. Pingback: Citrix XenDesktop, ADFS, Azure MFA, NetScaler Unified Gateway and Citrix FAS – Part 3

  3. Pingback: Front XenApp 7.11+ in Azure with NetScaler (Unified) Gateway 11.x.n | A Xendc Tech Blog – Unofficial!!!

  4. Gareth Chapman

    Hey Dave.

    Great post. I have a question regarding the certificates used for UG. In part one you used your Digicert Wildcard. I wanted to know would it be possible to use two certificates i.e. one for sts.domain.com and one for ug.domain.com instead of using wildcards.

    both these certs (sts and ug) will be uploaded to Netscaler. On AD FS server the UG certificate with common name will be imported into the signature tab in the relying party trust section.

    Would this approach work to setup this 6 part series?

    Let me know your thoughts when you have a moment.

  5. Hamish

    Dave, great article. Excellent.

    I have it set up exactly as per your article and it works just like yours. But when I try to re-use the SAML Auth for another app (eg Salesforce), it keeps redirecting back to the UG landing page once Salesforce is authenticated. When I set up the ADFS proxy without UG, (as per Erik’s blog) Salesforce works fine. Any thoughts on re-using the SAML authentication for other apps like this with UG?

    1. Bretty Post author

      The reason its redirecting is the responder policy bound to the vServer post authentication. You could change this and redirect to another vServer or bind multiple responder policies

  6. Hamish

    There isn’t a responder policy there – however there is a default content switching policy that is deployed by the UG wizard that sends traffic back to the UG. I’ll try the reponder . Thanks

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.