How to use with storefront SAML authentication The Security Assertion Markup Language (SAML) provides a standard authentication information between organizations to transfer 2.6

8:52 PM
How to use with storefront SAML authentication

The Security Assertion Markup Language (SAML) provides a standard authentication information between organizations to transfer 2.6 - . In particular, SAML can users to resources from a different domain access their own credentials.

The latest version of storefront Citrix can offer the benefits of SAML next to the app store experience storefront for the first time. This solution can be used to help a service provider customers to access hosted applications, provide a quick way to add new employees after a merger or acquisition to OnBoard deliver critical applications to other health clinics and more. Ultimately adds Citrix SAML support another level of flexibility today's fast paced IT environment to meet.

I recently participated in a series of conversations with customers who have had to know more on looking at how to use SAML to with storefront.

I quickly realized that to solve a lack of consolidated information on the subject-something I hope to help today. The guide below is an example of how SAML support can be configured with NetScaler, storefront, and XenApp. For simplicity, I assumed that those these are configurable aware Kerberos, certificates reading, Active Directory Federation Services (ADFS) configuration, installation of the core Citrix components are involved, and a fundamental vServer on NetScaler Gateway. I must also mention that this solution, which is supported currently installed on Storefront 2.6 and XenApp 6.5 with XML IIS Integration.

Before we start, I'd like a special extend thanks to Michael Colson, Nelson Esteves, James Hsu, and the storefront product team for their support in various projects that led to the creation of this guide.

environment

an easier way to offer, trace the two domains in this configuration, the guide point to keep involved two notional units. The hosting environment (The.Lab) contains a single instance of NetScaler 10.5, 2.6 Storefront, XenApp 6.5 with XML IIS Integration and a certification body. Xirtic (xirtic.lab) acts as Identity Provider (IdP) in this scenario, and contains a single instance of ADFS 2.0 and a certification body. Since the guide local domains used in a test environment, I have decided certificates that use of the internal CAs. secure in the real world, using certificates from trusted public CAs signed external communication recommended.

Communication Workflow

SAML-Architecture

Configuring Kerberos delegation rights

  1. for delegation of the XenApp server
    1. on the domain controller, open the Active Directory users and Computers MMC console
    2. Make sure that [are Advanced features enabled by selecting view> Advanced features
    3. Navigate to the computer account for the XenApp server and select action> properties
    4. select delegation tab on for delegating this computer to specific services only , on use trust is Kerberos , and then click In
    5. click users or computers Add dialog box
    6. for the name of the XenApp server in Active Directory lookup and click OK
    7. [1945011in services ] Select the HOST service type and then click OK
    8. click In and users or computers again
    9. looking for the name of the domain controller in Active Directory and click OK
    10. Select the CIFS and ldap service types and click OK (if multiple entries exist for ldap select the domain controller FQDN equivalent)
    11. to accept the changes and display the
    close

Step-1-2

  1. configure for transmitting the storefront server
    1. on the domain controller, open the Active Directory -user and Computers MMC console
    2. Make sure that Advanced features are by navigating to view> Advanced features
    3. on the computer account activated for the storefront server, navigate and select action> properties
    4. Select the delegation tab on trust this computer for transmission to specific services only Any of authentication protocol using and then click in
    5. click users or computers in Add services dialog box
    6. for the XenApp server name search in Active Directory and click OK
    7. Select the http service type and click then to take on OK
    8. the changes and close the dialog box

Step-2

to Configuring XenApp 6.5

  1. Let the XenApp server incoming XML requests
      trust
    1. on the XenApp server, open the Citrix AppCenter console
    2. to expand the XenApp farm and on the guidelines node
    3. in computer tab, select New ... a new directive
    4. Name the new policy and select Next
    5. to create the link XML service category and click on in in trust XML requests guidelines
    6. Select Enables , on OK , and then click Next
    7. Add working group or Active Directory organizational unit filter containing involved with SAML access the XenApp server and click Next
    8. Make sure to enable this policy, is checked and click create

Step-3

Configure storeFront 2.6

  1. to enable smart card authentication on the storefront store
    1. on the storefront server, start the Citrix storefront Administration console
    2. Select Add authentication node
    3. in the Actions pane / remove methods
    4. check Smart Card and then OK

Step-4

  1. to enable smart card authentication on storefront of NetScaler Gateway
    1. on the storefront server, start the Citrix storefront Administration console
    2. Navigate to the NetScaler Gateway node, and select the gateway for be SAML authentication
    3. used in the Actions pane, click General settings
    4. Select Smart Card for the logon type field and click OK

Step-5

  1. enable Kerberos Constrained delegation on storefront
    1. on the storefront server, start the Citrix storefront Administration console
    2. select Shops [1945004thenchoose] node and the store, the Pane
    3. is used in the actions for the Kerberos authentication, click configure Kerberos delegation
    4. check use Kerberos delegation Delivery controller and then OK

[1945024zuauthentifizieren]

  1. NTFS permissions for transition service the storefront companies Protocol
    1. on the storefront server to C: program files Citrix receiver storefront Services Protocol transition service [1945004[
    2. , the file properties of open AccessList.txt and navigate to the [1945003
    3. Choose need] Security tab
    4. [ Edit and then In ...
    5. , the user or group, enter the SAML access (in this guide, the domain users group used for convenience) on OK and then apply read permissions for each user or group, the SAML access

Step-7

Configure NetScaler Gateway

  1. import need the public key of Xirtic the ADFS signing certificate into the NetScaler
    1. Login the major NetScaler appliance
    2. in configuration tab to Traffic management > SSL > Certificates and click Install
    3. , enter the certificate key pair a name, select the down arrow next to Browse button for certificate file name box, and then click local
    4. Select the public key of Xirtic of ADFS signing certificate and then click Install

Step-8-3

  1. create a SAML authentication policy for NetScaler Gateway
    1. Login to the NetScaler appliance
    2. in configuration tab to NetScaler Gateway > guidelines > Authentication> SAML
    3. select Server tab and then select In
    4. to fill in the form with the following values:
      • enter the server profile name
      • IDP certificate name : Xirtic the ADFS signing certificate from step 8
      • Select
      • redirect URL : Enter the Association of ADFS server URL (default: https: / / / adfs / ls /)
      • user field : Enter name ID
      • Signing certificate name : the existing gateway certificate of NetScaler Select
      • name of the issuer : type NetScaler
    5. Click OK
    6. select guidelines tab and then select in
    7. enter the policy a name, select the SAML server previously configured in the server box, enter ns_true in expression field, and click create
[1945001[Step-9-1-2

  1. Bind the SAML authentication policy to an existing gateway vServer
    1. application to the main NetScaler appliance
    2. configuration navigate tab on NetScaler Gateway > Virtual Server
    3. Select an existing gateway vServer that for SAML authentication to be used, and then click Edit
    4. with plus sign in the upper right corner of authentication section
    5. select SAML as policy type, and then click to create the SAML policy in step 9 on Next
    6. Select, click OK , and then click Bind
    7. remove the bindings for other guidelines authentication to the gateway vServer bound. While it is possible to use multiple authentication policies on a single gateway vServer, this is not covered in this manual.

Step-10

Configuring an ADFS party trust Relying

  1. use Citrix support article CTX140562 as a guide for manually ADFS configure NetScaler than relying party to trust
    1. Although the lead with the Windows Server 2012 wrote that ADFS configuration within Windows Server 08 is similar to
    2. , the relying party SAML 2.0 SSO service URL field maps should the URL of the NetScaler Gateway vServer with / cgi / samlauth to the attached end of
    3. , the relying party trust identifier the match name of the issuer with the NetScaler Gateway SAML policy in step 9
    4. configured optionally
    5. For the purposes in this manual is only the SAM account name / name ID LDAP attribute must be assigned to a requirement of the rule
    6. , the signing certificate for the relying party should match the public key of the certificate for the signing certificate name box in step 9 used
  2. to use to configure the trust SHA-1 encryption
    1. Open the properties of the party confidence relying in step configured 11
    2. Navigate to the Extended tab, select SHA-1 as Secure hash algorithm and click OK

Step-12

Add to the domain

shadow accounts
  1. shadow accounts are used by storefront reflect an incoming user credentials to an internal Windows identity , This Windows identity is then used by Storefront and XenApp to start applications. To launch applications with a SAML authenticated users, we need to create shadow accounts in Active Directory, which mimic the username Xirtic users. For more information about how to create shadow accounts can be found here.
seen

implementation issues

Attention! Using Registry Editor incorrectly can cause serious problems that you might need to reinstall your operating system. Citrix can not guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use. Registry Editor at your own risk Be sure to back up the registry before you edit it

  • . Problem: If an application is launched, a user may receive an "access denied" message displayed by Windows before receiver includes
    resolution :. on the XenApp server, add the IgnoreRegUserConfigErrors DWORD with a hexadecimal value of 1 to the following location:
    HKEY_LOCAL_MACHINE SYSTEM CurrentControlSet Control terminal Server
Previous
Next Post »
0 Komentar