Citrix Federated Authentication Service Integration with APM

Introduction This guide will cover how to use APM as the access gateway in front of Storefront when using Citrix FAS. This will enable you to leverage authentication methods like SAML, Kerberos, o...
Published Dec 19, 2016
Version 1.0
access gateway
application delivery
BIG-IP
BIG-IP Access Policy Manager (APM)
citrix
federated authentication service
kerberos
saml
security
Graham_Alderso1's avatar
Graham_Alderso1
Icon for Employee rankEmployee
Feb 09, 2018

Manuel,

 

I think I understand what you're trying to do. Unfortunately what you've described won't work. O365 and F5 SAML SP will each need its own assertion and relying party relationship in ADFS. Also, your O365 Sharepoint will actually be WS-Fed with ADFS, not SAML. Fortunately this is all easy to do and is the way ADFS or any other IdP is designed to work.

 

Here's an example of the user experience when deployed properly with two relying parties in ADFS. User goes to Sharepoint Online. Sharepoint Online redirects them to ADFS for login. User logs in to ADFS and is sent back to Sharepoint Online with an assertion. User now goes to Citrix which is protected by F5 as SAML SP. F5 as SAML SP redirects them to ADFS for authentication. User is already logged in at ADFS so ADFS generates an assertion and sends them back to F5 as SAML SP. F5 as SAML SP validates the assertion and grants access to Citrix.

 

Be sure to check out the new ADFS Proxy functionality in 13.1 with MS-ADFSPIP support. It can replace the WAP servers in front of your ADFS environment. You can use the same BIG-IP that you use for SAML SP in front of Citrix.