APM SAML CITRIX Stroefront

Dathi · ‎30-Sep-2020

Using APM as SAML SP with external Idp connector ADFS.

Followed this article https://devcentral.f5.com/s/articles/citrix-federated-authentication-service-integration-with-apm-24489:

F5 is passing the logonpage to ADFS but not able to pass SSO to Storefront.

APM logs show " Could not find SSO username, check SSO credential mapping agent.

boneyard · ‎04-Oct-2020

can you confirm session.saml.last.nameIDValue i assigned the correct value?

Dathi · ‎06-Oct-2020

yes it does. Its the the username I used to login.

boneyard · ‎10-Oct-2020

weird, does the storefront side show something useful, like the username or a hint on a bad password?

Dathi · ‎12-Oct-2020

It does not go that far. After authenticating at ADFS page , the next page it lands is the storefront logon page with the username in the username field and empty password. It seems as if , its waiting on use to enter the pwd and click LOGON.

boneyard · ‎19-Oct-2020

most likely because it doesnt appear to the have the username ready, but that is difficult to check via a questions section like this, i would engage F5 support by now. easier to check things for them in a live enviroment.

Dathi · ‎19-Oct-2020

Thank you yes , I support is involved but they are unable to determine where the problem is. I am not a SAML expert but from what I know, SAML just passes or should pass a token to the citrix storefront. I cannot see where the disconnect is.

boneyard · ‎19-Oct-2020

i saw another question which triggered something.

which SSO method are you using currently? because if you get a username and password login that will logically fail i believe. you dont pass on the SAML assertion, that gets accepted by big-ip which then has to do passwordless SSO i believe, so Kerberos for example.

Dathi · ‎19-Oct-2020

the goal is to use SAML and my APM looks like this.

boneyard · ‎19-Oct-2020

yeah, sorry got confused, you did configure your Citrix Federated Authentication Service (FAS) as described at the start of the article you link at the start?

Dathi · ‎19-Oct-2020

Yes, its configured. But it only comes into picture when the user attempts to launch an app after successful SSO'ing to storefront. In my case, the SSOing is not happening from F5 APM to Storefront.

dromerot · ‎15-Dec-2020

Hi Dathi,

Have you able to pass SSO to Storefront? I don't see any traffic from APM to Storefront. Only health check traffic. I see the log "Following rule 'fallback' from item 'Session Variable Assign' to ending 'Allow'" but I don't see any packet from APM to Storefront.

However, I can see the right SAML Assertion and the right username got from IdP in the APM.

Thanks, best regards.

Dathi · ‎15-Dec-2020

No, actually, it stands as is. F5 tech support was not able to determine the flow or the bottleneck. I am still looking for answers.

dromerot · ‎15-Dec-2020

Hi Dathi,

Thanks.

On the other hand, I see an iRule in the Virtual Server, which has been added automatically with the iApp and I don't know if I have to delete it.

I've read in the link you posted "12/21/2016 - Removed an iRule that is not needed for SSO to function properly in a complete deployment".

Maybe we have to delete this iRule! I don't know!

Thanks, best regards.

Dathi · ‎15-Dec-2020

There wasn't any irule set automatically.

dromerot · ‎16-Dec-2020

OK Dathi,

I've deployed the iApp Citrix VDI 2.4.6 and it set an iRule automatically to the Virtual Server. It is this one:

Dathi · ‎22-Dec-2020

Yes, I see this as well but removing this has also not helped.

dromerot · ‎17-May-2021

Hi Dathi,

Did you manage to pass SSO to Storefront?

I think, we have to send "session.saml.last.nameIDValue" to STF but I don't know if we have to send it via HTTP Header or POST.

Thanks, best regards.

Tinkerer · ‎24-Sep-2021

I was wondering the same thing. We've run into the same issue.

Thanks.

Tinkerer · ‎19-Oct-2021

We are having the same issue.

boneyard · ‎07-Nov-2021

exactly the same?

what have you already tried?

do you have any experience with SSO from APM?

Rob_Young · ‎19-Jan-2022

Looking for assistance on this as well. We are currently testing AzureAD SAML to our APM (which works) but now we would like to login to our citrix enviornment. doesnt matter if it is f5 webtop or storefront. I have even setup FAS (which works internally). I just cannot figure out how to authenticate to our CItrix environment. Any guidance would be appreciated.

Dathi · ‎20-Jan-2022

I opened a ticket with Citrix and they claim that F5 as SAML idp will not work with storefront. But I am still not convinced. There may be other people who might have got it working.

Rob_Young · ‎26-Jan-2022

Citrix doesnt actually support F5 APM and have stated for years that it is an unsupported configuration so you won't get help from that side.

Let me know if you make any progress. I am currently in the same boat. It would be nice if F5 came out with a guide on this config.

Dathi · ‎08-Mar-2022

was anyone able to get this working ?

DevCentral

APM SAML CITRIX Stroefront

MFA required on DevCentral