Forum Discussion

gsriramalu's avatar
gsriramalu
Icon for Nimbostratus rankNimbostratus
Nov 26, 2024

F5APM SSO SAML OAUTH

I am trying to integrate F5 APM with Citrix.

Setup:

  • F5 APM SAML SP
  • Azure AD SAML IDP
  • SSO to Citrix

Issue:

New Citrix version don't support Kerberos token, so after the successful SAML authentication, the post assertion will sent the user information as a Kerberos token which then passed to Citrix StoreFront. As the Citrix don't support Kerberos it simply presents you with a StoreFront logon page and ask you to logon again. Basically we have to login twice to launch an application or desktop.

Citrix Workaround:

  • Enable SAML on StoreFront
  • Create a new external SP connector to StoreFront SAML
  • Enable Citrix FAS
  • Enable Active Directory CA
  • Deploy FAS AD GPO

We can avoid the above design change if we could get the below access policy work:

Start --> Internet Users --> F5 APM External Logon page --> Enter Username & Password --> Capture the Username & Password to a variable --> Input that to right SAML attributes of SAML external IDP connector --> auto feed the username & password to the SAML flow --> on successful SAML authentication --> pass on the username & password from the logon page for the SSO credentials to the StoreFront for SSO

We are not able to figure out a way to capture the username & password from the logon page and pass it to SAML authentication flow.

Any help & guidance in this regards is greatly appreciated.

 

 

  • f51's avatar
    f51
    Icon for Cirrocumulus rankCirrocumulus

    To achieve this, you need to capture the credentials from the F5 APM logon page and use them in the SAML authentication flow. This can be tricky because typically SAML flows do not involve passing raw credentials directly. Here’s how you might approach it:

    Access Policy Steps:

    1. Logon Page:
      • Create a custom logon page to capture the username and password.
      • Set session variables (e.g., session.logon.last.username and session.logon.last.password).
    2. SAML Authentication:
      • Use the session variables to populate the necessary SAML attributes.
      • Perform the SAML authentication with Azure AD as the IDP.
    3. SSO to Citrix:
      • After successful SAML authentication, use the captured credentials to perform SSO to Citrix StoreFront.

    Example:

    when ACCESS_POLICY_AGENT_EVENT {
        # Capture the username and password from the logon page
        set username [ACCESS::session data get "session.logon.last.username"]
        set password [ACCESS::session data get "session.logon.last.password"]

        # Populate SAML attributes with captured credentials
        ACCESS::session data set "session.saml.authnrequest.attribute.username" $username
        ACCESS::session data set "session.saml.authnrequest.attribute.password" $password
    }

    when SAML_REQUEST_SEND {
        # Modify the SAML request if needed
        set saml_request [SAML::request]
        # Custom modifications to the SAML request can be done here
        SAML::request $saml_request
    }

    when SAML_RESPONSE {
        # Handle the SAML response
        set saml_response [SAML::response]
        # Custom handling of the SAML response can be done here
        SAML::response $saml_response
    }

    when ACCESS_POLICY_COMPLETED {
        if { [ACCESS::policy result] eq "allow" } {
            # On successful SAML authentication, perform SSO to Citrix StoreFront
            set username [ACCESS::session data get "session.logon.last.username"]
            set password [ACCESS::session data get "session.logon.last.password"]

            # Perform SSO to Citrix StoreFront using the captured credentials
            # This might involve crafting an HTTP POST to StoreFront with the credentials
            # Example:
            HTTP::request "POST /Citrix/StoreWeb/Authentication HTTP/1.1\r\nHost: storefront.example.com\r\nContent-Type: application/x-www-form-urlencoded\r\n\r\nusername=$username&password=$password"
        }
    }

  • Why would SAML need the password?

    As for the username you could add %{session.logon.last.username} as Saml attribute or even as Subject