How to use with storefront SAML authentication The Security Assertion Markup Language (SAML) provides a standard authentication information between organizations to transfer 2.6

How to use with storefront SAML authentication

The Security Assertion Markup Language (SAML) provides a standard authentication information between organizations to transfer 2.6 - . In particular, SAML can users to resources from a different domain access their own credentials.

The latest version of storefront Citrix can offer the benefits of SAML next to the app store experience storefront for the first time. This solution can be used to help a service provider customers to access hosted applications, provide a quick way to add new employees after a merger or acquisition to OnBoard deliver critical applications to other health clinics and more. Ultimately adds Citrix SAML support another level of flexibility today's fast paced IT environment to meet.

I recently participated in a series of conversations with customers who have had to know more on looking at how to use SAML to with storefront.

I quickly realized that to solve a lack of consolidated information on the subject-something I hope to help today. The guide below is an example of how SAML support can be configured with NetScaler, storefront, and XenApp. For simplicity, I assumed that those these are configurable aware Kerberos, certificates reading, Active Directory Federation Services (ADFS) configuration, installation of the core Citrix components are involved, and a fundamental vServer on NetScaler Gateway. I must also mention that this solution, which is supported currently installed on Storefront 2.6 and XenApp 6.5 with XML IIS Integration.

Before we start, I'd like a special extend thanks to Michael Colson, Nelson Esteves, James Hsu, and the storefront product team for their support in various projects that led to the creation of this guide.

environment

an easier way to offer, trace the two domains in this configuration, the guide point to keep involved two notional units. The hosting environment (The.Lab) contains a single instance of NetScaler 10.5, 2.6 Storefront, XenApp 6.5 with XML IIS Integration and a certification body. Xirtic (xirtic.lab) acts as Identity Provider (IdP) in this scenario, and contains a single instance of ADFS 2.0 and a certification body. Since the guide local domains used in a test environment, I have decided certificates that use of the internal CAs. secure in the real world, using certificates from trusted public CAs signed external communication recommended.

Communication Workflow

SAML-Architecture

Configuring Kerberos delegation rights

for delegation of the XenApp server
1. on the domain controller, open the Active Directory users and Computers MMC console
2. Make sure that [are Advanced features enabled by selecting view> Advanced features
3. Navigate to the computer account for the XenApp server and select action> properties
4. select delegation tab on for delegating this computer to specific services only , on use trust is Kerberos , and then click In
5. click users or computers Add dialog box
6. for the name of the XenApp server in Active Directory lookup and click OK
close

configure for transmitting the storefront server

on the domain controller, open the Active Directory -user and Computers MMC console

Make sure that Advanced features are by navigating to view> Advanced features

on the computer account activated for the storefront server, navigate and select action> properties

Select the delegation tab on trust this computer for transmission to specific services only Any of authentication protocol using and then click in

click users or computers in Add services dialog box

for the XenApp server name search in Active Directory and click OK

Select the http service type and click then to take on OK

the changes and close the dialog box

to Configuring XenApp 6.5

Let the XenApp server incoming XML requests
trust
on the XenApp server, open the Citrix AppCenter console

to expand the XenApp farm and on the guidelines node

in computer tab, select New ... a new directive

Name the new policy and select Next

to create the link XML service category and click on in in trust XML requests guidelines

Select Enables , on OK , and then click Next

Add working group or Active Directory organizational unit filter containing involved with SAML access the XenApp server and click Next

Make sure to enable this policy, is checked and click create

Configure storeFront 2.6

to enable smart card authentication on the storefront store

on the storefront server, start the Citrix storefront Administration console

Select Add authentication node

in the Actions pane / remove methods

check Smart Card and then OK

to enable smart card authentication on storefront of NetScaler Gateway

on the storefront server, start the Citrix storefront Administration console

Navigate to the NetScaler Gateway node, and select the gateway for be SAML authentication

used in the Actions pane, click General settings

Select Smart Card for the logon type field and click OK

enable Kerberos Constrained delegation on storefront

on the storefront server, start the Citrix storefront Administration console

select Shops [1945004thenchoose] node and the store, the Pane

is used in the actions for the Kerberos authentication, click configure Kerberos delegation

check use Kerberos delegation Delivery controller and then OK

[1945024zuauthentifizieren]

NTFS permissions for transition service the storefront companies Protocol

on the storefront server to C: program files Citrix receiver storefront Services Protocol transition service [1945004[

, the file properties of open AccessList.txt and navigate to the [1945003
Choose need] Security tab
[ Edit and then In ...
, the user or group, enter the SAML access (in this guide, the domain users group used for convenience) on OK and then apply read permissions for each user or group, the SAML access

Configure NetScaler Gateway

import need the public key of Xirtic the ADFS signing certificate into the NetScaler

Login the major NetScaler appliance

in configuration tab to Traffic management > SSL > Certificates and click Install

, enter the certificate key pair a name, select the down arrow next to Browse button for certificate file name box, and then click local

Select the public key of Xirtic of ADFS signing certificate and then click Install

create a SAML authentication policy for NetScaler Gateway

Login to the NetScaler appliance

in configuration tab to NetScaler Gateway > guidelines > Authentication> SAML

select Server tab and then select In

to fill in the form with the following values:

enter the server profile name

IDP certificate name : Xirtic the ADFS signing certificate from step 8
Select
redirect URL : Enter the Association of ADFS server URL (default: https: / / / adfs / ls /)

user field : Enter name ID

Signing certificate name : the existing gateway certificate of NetScaler Select

name of the issuer : type NetScaler

Click OK

select guidelines tab and then select in

enter the policy a name, select the SAML server previously configured in the server box, enter ns_true in expression field, and click create

[1945001[

Bind the SAML authentication policy to an existing gateway vServer

application to the main NetScaler appliance

configuration navigate tab on NetScaler Gateway > Virtual Server

Select an existing gateway vServer that for SAML authentication to be used, and then click Edit

with plus sign in the upper right corner of authentication section

select SAML as policy type, and then click to create the SAML policy in step 9 on Next

Select, click OK , and then click Bind

remove the bindings for other guidelines authentication to the gateway vServer bound. While it is possible to use multiple authentication policies on a single gateway vServer, this is not covered in this manual.

Configuring an ADFS party trust Relying

use Citrix support article CTX140562 as a guide for manually ADFS configure NetScaler than relying party to trust

Although the lead with the Windows Server 2012 wrote that ADFS configuration within Windows Server 08 is similar to

, the relying party SAML 2.0 SSO service URL field maps should the URL of the NetScaler Gateway vServer with / cgi / samlauth to the attached end of

, the relying party trust identifier the match name of the issuer with the NetScaler Gateway SAML policy in step 9
configured optionally
For the purposes in this manual is only the SAM account name / name ID LDAP attribute must be assigned to a requirement of the rule

, the signing certificate for the relying party should match the public key of the certificate for the signing certificate name box in step 9 used

to use to configure the trust SHA-1 encryption

Open the properties of the party confidence relying in step configured 11

Navigate to the Extended tab, select SHA-1 as Secure hash algorithm and click OK

Add to the domain
shadow accounts

shadow accounts are used by storefront reflect an incoming user credentials to an internal Windows identity , This Windows identity is then used by Storefront and XenApp to start applications. To launch applications with a SAML authenticated users, we need to create shadow accounts in Active Directory, which mimic the username Xirtic users. For more information about how to create shadow accounts can be found here.

seen
implementation issues

Attention! Using Registry Editor incorrectly can cause serious problems that you might need to reinstall your operating system. Citrix can not guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use. Registry Editor at your own risk Be sure to back up the registry before you edit it

. Problem: If an application is launched, a user may receive an "access denied" message displayed by Windows before receiver includes
resolution :. on the XenApp server, add the IgnoreRegUserConfigErrors DWORD with a hexadecimal value of 1 to the following location:
HKEY_LOCAL_MACHINE SYSTEM CurrentControlSet Control terminal Server

Tweet