I have configured SAML auth with AzureAD with APM and storefront web interface with no issues. Im wondering if anyone has tried getting the local receiver/workspace app to work? It looks like the local client now supports SAML auth coming from a netscaler, however not sure if APM can trigger the app to redirect it to Azure to login.
I have tested with workspace app 1902, which does support SAML from citrix cloud/netscaler. I copied the settings from the web interface to receiver after the pre-check but it doesnt redirect to azure, just gets a normal login prompt.
Sorry realized that last reply wasn't that clear. So here is the policy I'm trying:
So through the browser SAML works fine.
When connecting via workspace/receiver app tried both latest receiver version and latest workspace version and it fails just gives the apps login prompt for username and password. I do have a test cloud account was able to get it work through there with the same workspace/receiver app so im guessing there is more to it that APM would need to trigger the app to redirect to the SAML IP to login.
I am trying to get the SAML auth with ADFS(on prem) to storefront. My policy looks as below.
For some reason, upon entering my fqdn, it rightly gets authenticated on ADFS and then stops at the storefront logon page. Does not SSO into it.
Not sure what might be the issue. Could you think of anything ?
Did anyone solve this?
We're having almost the same setup. On prem farm with Storefront, behind F5 APM and ADFS as IDP, and Citrix FAS to support certificate logon.
Web access works flawlessly, and Citrix Workspace App with username/password also works, but we would like to have the same logon through ADFS and SAML with MFA for the Worksspace App, because of the risk of only using simple username/password domain logon from Internet.
I think the problem is in APM and that the policy doesn't trigger a redirect in the App, but I'm not sure.
I know Citrix doesn't support the solution with F5 APM, but have anyone managed to solve this?
Best regards, Niklas
To save anyone else any frustration with this topic I had it confirmed as of July '23 (and not likely to change). Only the browser and not the Citrix client are supported with this method of authentication.