Technical Forum
Ask questions. Discover Answers.
Showing results for 
Search instead for 
Did you mean: 
Custom Alert Banner

Citrix access using SAML


Is it possible to perfom SSO into CItrix when AZURE SAML to authenitcate to the F5. All the docs, guides or bits and pieces I have found that reference passwordless envolves using smartcard.


I have seen some references pointing to an additional SAML connection to the storefront but everything I have found seems to be pretty vague. Any tips, guidance, references would be gratly appreciated.






So Azure AD is your SAML IdP and the F5 is your SAML SP and you want the Citrix Storefront to be another SAML SP of Azure AD?


If the F5 and Citrix are SP on the same SAML IdP Azure AD this should work but if you want the F5 to use username/password for SSO then reserch how Azure AD can return the SAML username and password to to the F5 SAML SP as saml attributes in the assertion so it can use it to SSO in the Citrix if that is possible.  Still I do not know if the userame and password can be inserted by the Azure AD as F5 IdP supports this but for Azure you have to check.

Thanks for the info.  To clarify, I do not wish to continue using username and pass.  We are testing AzureAD as our IDP and the F5 as the SP (which is working) but we are having issues authenticating to our Citrix storefront.  You cannot pass the password from AzureAD as a SAML attribute ( and I would never want to hand around a pw in a SAML attribute anyways)

I would think that I would have to do a Kerb or another SAML which I have tried but I cannot seem to get this to work.  Looking for someone who has this working in their environment. 

Have tried to also add the Citrix storefront to the Azure AD?


Also without F5 APM having username or password I agree that F5 Kerberos SSO could be the only way with ssl client check so that F5 APM can extract the username from the client SSL certificate as this is needed for UPN:




If Azure AD has a way to send the username/email as attribute this will make the client ssl cert not needed.


Also take a look of this article if it helps: