18-Jan-2022 15:18
Is it possible to perfom SSO into CItrix when AZURE SAML to authenitcate to the F5. All the docs, guides or bits and pieces I have found that reference passwordless envolves using smartcard.
I have seen some references pointing to an additional SAML connection to the storefront but everything I have found seems to be pretty vague. Any tips, guidance, references would be gratly appreciated.
26-Jan-2022 01:25
So Azure AD is your SAML IdP and the F5 is your SAML SP and you want the Citrix Storefront to be another SAML SP of Azure AD?
If the F5 and Citrix are SP on the same SAML IdP Azure AD this should work but if you want the F5 to use username/password for SSO then reserch how Azure AD can return the SAML username and password to to the F5 SAML SP as saml attributes in the assertion so it can use it to SSO in the Citrix if that is possible. Still I do not know if the userame and password can be inserted by the Azure AD as F5 IdP supports this but for Azure you have to check.
https://community.f5.com/t5/technical-forum/saml-auth-with-logon-page/td-p/90217
26-Jan-2022 07:54
Thanks for the info. To clarify, I do not wish to continue using username and pass. We are testing AzureAD as our IDP and the F5 as the SP (which is working) but we are having issues authenticating to our Citrix storefront. You cannot pass the password from AzureAD as a SAML attribute ( and I would never want to hand around a pw in a SAML attribute anyways)
I would think that I would have to do a Kerb or another SAML which I have tried but I cannot seem to get this to work. Looking for someone who has this working in their environment.
26-Jan-2022 08:35 - edited 26-Jan-2022 12:29
Have tried to also add the Citrix storefront to the Azure AD?
https://support.citrix.com/article/CTX220638
Also without F5 APM having username or password I agree that F5 Kerberos SSO could be the only way with ssl client check so that F5 APM can extract the username from the client SSL certificate as this is needed for UPN:
https://support.f5.com/csp/article/K59350434
https://support.f5.com/csp/article/K08200035
Edit:
If Azure AD has a way to send the username/email as attribute this will make the client ssl cert not needed.
Also take a look of this article if it helps: