Forum Discussion

Altostratus

Jan 18, 2022

Citrix access using SAML

Is it possible to perfom SSO into CItrix when AZURE SAML to authenitcate to the F5. All the docs, guides or bits and pieces I have found that reference passwordless envolves using smartcard. I...

BIG-IP Access Policy Manager (APM)

MVP

Jan 26, 2022

So Azure AD is your SAML IdP and the F5 is your SAML SP and you want the Citrix Storefront to be another SAML SP of Azure AD?

If the F5 and Citrix are SP on the same SAML IdP Azure AD this should work but if you want the F5 to use username/password for SSO then reserch how Azure AD can return the SAML username and password to to the F5 SAML SP as saml attributes in the assertion so it can use it to SSO in the Citrix if that is possible. Still I do not know if the userame and password can be inserted by the Azure AD as F5 IdP supports this but for Azure you have to check.

https://community.f5.com/t5/technical-forum/using-saml-for-login-vs-f5-login-page-but-need-the-password-for/td-p/92681

https://community.f5.com/t5/technical-forum/saml-auth-with-logon-page/td-p/90217

https://community.f5.com/t5/technical-forum/saml-apm-as-service-provider-sp-role-is-it-possible-to-do-sso/td-p/128301

Rob_Young

Altostratus

Jan 26, 2022

Thanks for the info. To clarify, I do not wish to continue using username and pass. We are testing AzureAD as our IDP and the F5 as the SP (which is working) but we are having issues authenticating to our Citrix storefront. You cannot pass the password from AzureAD as a SAML attribute ( and I would never want to hand around a pw in a SAML attribute anyways)

I would think that I would have to do a Kerb or another SAML which I have tried but I cannot seem to get this to work. Looking for someone who has this working in their environment.

Nikoolayy1
MVP
Jan 26, 2022
Have tried to also add the Citrix storefront to the Azure AD?

https://support.citrix.com/article/CTX220638

Also without F5 APM having username or password I agree that F5 Kerberos SSO could be the only way with ssl client check so that F5 APM can extract the username from the client SSL certificate as this is needed for UPN:

https://techdocs.f5.com/en-us/bigip-15-1-0/big-ip-access-policy-manager-single-sign-on-concepts-configuration/kerberos-single-sign-on-method.html

https://support.f5.com/csp/article/K59350434

https://support.f5.com/csp/article/K08200035

Edit:

If Azure AD has a way to send the username/email as attribute this will make the client ssl cert not needed.

Also take a look of this article if it helps:

https://community.f5.com/t5/technical-articles/smart-card-authentication-to-citrix-storefront-using-f5-access/ta-p/286377

https://discussions.citrix.com/topic/404480-is-kerberos-supported-with-sf-312-with-xa-715-ltsr-and-cac-card/

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

GitHub Awesome-F5

Forum Discussion

Citrix access using SAML

F5 Academy at AppWorld 2026

Aswin MK - November 2025 Featured Member

Introducing the F5 AI Assistant for BIG-IP

Recent Discussions

Error post F5 upgrade

ACME DNS RFC-2136 Let's Encrypt certs

Big-IP LTM integration with Big-IP DNS in Azure

UCS Encryption Question

Dnssec deployment

Related Content

Smart Card Authentication to Citrix StoreFront Using F5 Access Policy Manager

Mitigating OWASP Web Application Risk: Broken Access Control using BIG-IP

Citrix iApps

Solution for Citrix Optimal Gateway Routing

Multi-Stores Citrix environment BIG-IP APM

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS