Citrix Federated Authentication Service Integration with APM

Introduction This guide will cover how to use APM as the access gateway in front of Storefront when using Citrix FAS. This will enable you to leverage authentication methods like SAML, Kerberos, o...
Published Dec 19, 2016
Version 1.0
access gateway
application delivery
BIG-IP
BIG-IP Access Policy Manager (APM)
citrix
federated authentication service
kerberos
saml
security
Manuel_Cristob2's avatar
Manuel_Cristob2
Icon for Nimbostratus rankNimbostratus
Feb 23, 2018

Thanks Graham,,

 

We see the successful SAMl assertion from ADFS for NameID=emailaddress however the Storefront does not trust the F5 as a federated gateway as the callback URL renders a 404 page not found from the F5.

 

The CallBACK URl that we are using points to the F5 VIP... (matches F5 VIP ip)/CitrixAuthService/AuthService.asmx.

 

We had to create and deploy and irule at the VIP that disables the policy when the F5 sees such HTTP request otherwise, we were getting redirected to the SAML IDP for such HTTP/URI request,,,

 

Obviously, the F5 will reach the Storefront farm via the Floating ip and not the VIP -so we tried using a FQDN that points to the Floating ip instead of the VIP IP for the CALLBACK URL but no luck.

 

I am assuming that the URI in the CALLBACK URL or /CitrixAuthService/AuthService.asmx should only render a simple HTTPs handshake so the Certificate from the F5 is trusted by the Storefront as part of the gateway verification/validation process.

 

My next step will be to configure a separate VIP listening to SSL and rendering Client SSL profile with the Cert needed for Storefront verification that is not the VIP or the floating ip and after that -point the CALLBACK URL to this new vip. If this does not work we will upgrade to version BIGIP 12.1.3 We are running Storefront version 3.13.

 

Thanks again

 

Manuel