Citrix Federated Authentication Service Integration with APM
Introduction
This guide will cover how to use APM as the access gateway in front of Storefront when using Citrix FAS. This will enable you to leverage authentication methods like SAML, Kerberos, or NTLM on the client side. Note that almost any auth method can be supported via Receiver for web, but Receiver self-service does not support some auth methods such as SAML.
Deploy Citrix Federated Authentication Service
Now you’ll need to deploy Citrix Federated Authentication Service (FAS). Deployment of FAS is out of scope for this article, but as there are many parts I found the following guide from Carl Stalhood very helpful: http://www.carlstalhood.com/citrix-federated-authentication-service-saml.
Ignore the section “SAML on Netscaler Gateway” since you’re going to deploy APM instead, but don’t miss that last section “Configuring Storefront for SAML Gateway”. When configuring Storefront anywhere it requests the Netscaler Access Gateway address you’ll use the FQDN you intend to use for your virtual server on Big-IP (how users will access Storefront). Examples include the callback URL field when configuring the authentication and when configuring the Netscaler gateway.
Before proceeding, you should be able to go direct to the Storefront server, log in, and be able to launch an application successfully. There can still be misconfigurations that prevent access through an access gateway, but you will have fewer areas left as problems.
You must use an Enterprise CA, otherwise on the CA you will see pending certificates not getting approved automatically and you will be unable to launch apps.
Also note that if you have previously made configuration modifications usually needed for earlier versions like Citrix 6.5, such as host file entries, those should be removed prior to proceeding. For correct operation of FAS, DNS needs to be setup properly which may include setting up PTR records.
Create the SAML SP
In the Big-IP GUI go to Access Policy -> SAML -> Big-IP as SP and click create. You’ll create an SP config and for the entity ID in the format https://my-vs-fqdn.domain.com. All the rest can be left default.
Now you’ll need to setup your IdP Connector. This could be another Big-IP APM, ADFS, Okta, or any other IdP service. You can import the metadata if available or you can manually configure it. Configuring the IdP connector is out of scope for this article, but after configuring it, you’ll select your SP and click the “Bind/Unbind IdP Connectors” button, “Add New Row”, select it from the drop down as the SAML IdP Connector, then click Update, OK.
Note that you can bind multiple IdP connectors here if there are multiple IdPs. You need to set a matching source (variable) and the matching value that should cause use of that IdP. A common solution might be %{session.server.landinguri} for the source and /customer1 for the matching value to go to customer 1’s IdP.
Now you’ll see this on the SP configuration page.
Your IdP should be setup to send either the user’s userPrincipalName or sAMAccountName as the NameID. This should match either the userPrincipalName or sAMAccountName of the user account in the AD domain used by Citrix that you want the user logged in as. Carl Stalhood’s guide linked above provides an example configuring the ADFS IdP and he is using userPrincipalName.
Note that if you decide to use alternate UPNs (not matching your AD domain name) for your users you will also need to enable those domains in “Trusted Domains” on your Storefront server.
Deploy the iApp
Now we can move on to deploying APM as your access gateway. First, deploy the latest iApp. At the time of writing this article, that’s version 2.4.0. When deploying the iApp you’ll need to answer the following questions as shown:
You’ll need to specify your STA servers:
Finally, pay special attention to the DNS name you’re going to have clients use. This should be the same as you used in the Citrix Storefront configuration earlier and the SAML configuration later. This is how users are going to access the deployment.
Now you have the iApp for Citrix deployed, but it’s using the default forms based authentication. You need to customize the authentication method. This guide will help you deploy SAML authentication, but as mentioned you could use NTLM, Kerberos, or another authentication method.
Before proceeding you need to verify that the certificate you’ve selected is valid. If it is not, SSO will fail when Storefront tries to callback to the virtual server and the user will get the error “Cannot Complete Your Request”. You can browse to the FQDN you entered from the Storefront server to make sure you don’t get certificate errors. Normally you would use a publicly signed certificate and that will work fine (but don’t forget the chain). If it’s an internally signed certificate, your Storefront server needs to trust it as well.
Modify the iApp’s APM Policy
By default the policy looks like this:
We need to modify it to look like this:
To modify the policy you will need to turn off “strict updates” on the iApp:
Note that in this case we aren’t modifying the Receiver branch because Receiver doesn’t support SAML authentication. You could just change it to deny receiver clients if desired.
First remove the Logon Page, AD Authentication, and SSO Credential Mapping objects from the Browser branch.
Next add a SAML Auth object right before the Session Variable Assign object (plus sign, Authentication tab, SAML Auth). Select the SP you configured earlier.
Next, open the Session Variable Assign. You need to add a new entry, and set session.logon.last.username to equal the session variable session.saml.last.nameIDValue. Notice that the domain and sta_servers variables were set here already, those were done by the iApp.
Here is what creating that looks like:
Now your policy should look like the one above.
Be sure to click Apply Policy in the top left.
Test
And finally you should be able to browse to the FQDN of your new virtual server, be redirected to your SAML IdP for authentication, then get redirected back and SSO’ed in to your Citrix environment. You should be able to see the Storefront catalog and launch an application
Updates
12/21/2016 - Removed an iRule that is not needed for SSO to function properly in a complete deployment
- dromerotNimbostratus
Hi,
I'm not able to pass SSO to Storefront. I don't see any traffic from APM to Storefront. Only health check traffic. I see the log "Following rule 'fallback' from item 'Session Variable Assign' to ending 'Allow'" but I don't see any packet from APM to Storefront.
However, I can see the right SAML Assertion and the right username got from IdP in the APM.
On the other hand, I see an iRule in the Virtual Server, which has been added automatically with the iApp and I don't know if I have to delete it.
Thanks, best regards.
- stigNimbostratus
Any update on whether or not the Citrix Workspace APP will work with SAML and APM?
Cheers
- dluzziNimbostratus
Hello,
just wondering if anyone has gotten SAML working with the new workspace app. It looks like its finally supported with a netscaler and FAS, but havent been successful trying to get the same with APM.
- Manuel_Cristob2Nimbostratus
Thanks again
We will try the cipher selection as we have the VIP's SSL profile for the front end pretty secured.
Then if still we have a no go,,,We will create a new VIP just for CALLBACKURL ( a mirrored config from the front end VIP/SAML SP)
Regards
Manuel
- Graham_Alderso1Employee
Double check that you completed every step in the section "StoreFront Config for SAML NetScaler Gateway" on Carl Stalhood's FAS setup guide that I linked above. Usually this is caused by missing a step. An alternative that I have seen is where the VIP is not accessible (or internal DNS doesn't point to the VIP) so the callback fails. Storefront logs will tell you this.
If you disable APM for the calls from Storefront as it sounds like you've done, then your callback will definitely fail because the BIG-IP doesn't know how to process the callback. This has been deployed widely and no disabling of APM is necessary for the callbacks (and would actually break it as noted).
If for some reason you can't allow Storefront to talk to the VS on an external interface, you can stand up another VS on the internal interface on a new IP and either use internal DNS or HOSTS file on the Storefront server to point the DNS name at that internal side VS. The VS should be setup exactly the same as the regular one, all the same profiles.
I have also seen this occur due to cipher selections, where custom high security cipher selections were used on the BIG-IP and the Storefront server could not negotiate them.
- Manuel_Cristob2Nimbostratus
Thanks Graham,,
We see the successful SAMl assertion from ADFS for NameID=emailaddress however the Storefront does not trust the F5 as a federated gateway as the callback URL renders a 404 page not found from the F5.
The CallBACK URl that we are using points to the F5 VIP... (matches F5 VIP ip)/CitrixAuthService/AuthService.asmx.
We had to create and deploy and irule at the VIP that disables the policy when the F5 sees such HTTP request otherwise, we were getting redirected to the SAML IDP for such HTTP/URI request,,,
Obviously, the F5 will reach the Storefront farm via the Floating ip and not the VIP -so we tried using a FQDN that points to the Floating ip instead of the VIP IP for the CALLBACK URL but no luck.
I am assuming that the URI in the CALLBACK URL or /CitrixAuthService/AuthService.asmx should only render a simple HTTPs handshake so the Certificate from the F5 is trusted by the Storefront as part of the gateway verification/validation process.
My next step will be to configure a separate VIP listening to SSL and rendering Client SSL profile with the Cert needed for Storefront verification that is not the VIP or the floating ip and after that -point the CALLBACK URL to this new vip. If this does not work we will upgrade to version BIGIP 12.1.3 We are running Storefront version 3.13.
Thanks again
Manuel
- Graham_Alderso1Employee
It sounds like your problem might be with ADFS federation to APM, not the Citrix use case this article covers. I've successfully federated APM with ADFS in BIG-IP v11, v12, and v13. For this particular Citrix use case, I believe it was v12.1 I validated it against, but can't think of a reason it wouldn't work on an earlier version.
It's probably worth double checking that you're running the latest release of whatever version you're on so that you have all the current patches (currently v11.5.5, v11.6.3, v12.1.3, v13.1.0). See here: https://support.f5.com/csp/article/K2200.
- Manuel_Cristob2Nimbostratus
Hi Graham
Whats the F5 version that we must run for this deployment? We seem to get stuck when the Storefront tries to validate the F5 as a trusted gateway via this URI...
/AuthService/Auth,,,asmx
Any ideas?
much appreciated
- Graham_Alderso1Employee
I have never needed to add that manually with ADFS. I suspect that there was an error and the ADFS response is indicating the error instead of including an assertion and AuthenticationStatement. BIG-IP might then complain about the missing AuthnInstant, but that's just a symptom of the entire AuthenticationStatement missing. You can look for a StatusCode at the end of the SAML (Use SAML Chrome Panel or Firefox SAML Tracer to see the SAML), it should say success and there should be an assertion, if it's anything else then there is a configuration problem. You can review StatusCode messages here: https://msdn.microsoft.com/en-us/library/hh269642.aspx
Another thing to double check while you're at it is whether the time is in sync between BIG-IP and ADFS.
If you want to try adding the AuthnInstant manually (again, I've never needed this), it might be something like this: Transform: Authentication Time Stamp -> Authentication Time Stamp Transform: Authentication Method -> Authentication Method
- ncartaya99_3514Nimbostratus
Hi Graham, I'm working with Manuel on the SHarePoint/Citrix SAML use case described above. When I look at the Session logs in the F5 and look at my session, I see the following error "SAML Agent /Common/Eaglestorefront-final_act_ag_SAML assertion is invalid error AuthenticationStatement must have AuthnInstant attribute". The claims rule in ADFS is set to map User-Principal-Name to Name ID. Do I need an additional claims rule for the AuthnInstant attribute in ADFS or is this attribute set in the F5 SP?