F5APM SSO SAML OAUTH

I am trying to integrate F5 APM with Citrix.

Setup:

• F5 APM SAML SP
• Azure AD SAML IDP
• SSO to Citrix

Issue:

New Citrix version don't support Kerberos token, so after the successful SAML authentication, the post assertion will sent the user information as a Kerberos token which then passed to Citrix StoreFront. As the Citrix don't support Kerberos it simply presents you with a StoreFront logon page and ask you to logon again. Basically we have to login twice to launch an application or desktop.

Citrix Workaround:

• Enable SAML on StoreFront
• Create a new external SP connector to StoreFront SAML
• Enable Citrix FAS
• Enable Active Directory CA
• Deploy FAS AD GPO

We can avoid the above design change if we could get the below access policy work:

Start --> Internet Users --> F5 APM External Logon page --> Enter Username & Password --> Capture the Username & Password to a variable --> Input that to right SAML attributes of SAML external IDP connector --> auto feed the username & password to the SAML flow --> on successful SAML authentication --> pass on the username & password from the logon page for the SSO credentials to the StoreFront for SSO

We are not able to figure out a way to capture the username & password from the logon page and pass it to SAML authentication flow.

Any help & guidance in this regards is greatly appreciated.