Navigation
Overview
Citrix Federated Authentication Service enables users to login to NetScaler Gateway and StoreFront using SAML authentication.
Citrix Federated Authentication Service uses Microsoft Certificate Authority to issue certificates on behalf of users. These certificates are used for the StoreFront and Virtual Delivery Agent logon process.
Requirements:
- Microsoft Certificate Authority in Enterprise mode
- XenApp/XenDesktop 7.9
- StoreFront 3.6
- NetScaler Gateway
- Receiver for Web only. Receiver Self-Service doesn’t support web-based authentication.
Install Service and Configure
The service should be installed on a secure, standalone server that does not have any other Citrix components installed.
- On the Federated Authentication Service server, go to the XenDesktop 7.9 ISO and run AutoSelect.exe.
![]()
- On the bottom right, click Federated Authentication Service.
![]()
- In the Licensing Agreement page, select I have read, understand, and accept the terms of the license agreement and click Next.
![]()
- In the Core Components page, click Next.
![]()
- In the Firewall page, click Next.
![]()
- In the Summary page, click Install.
![]()
- In the Finish Installation page, click Finish.
![]()
- On the StoreFront 3.6 server, run the following command:
& "$Env:PROGRAMFILES\Citrix\Receiver StoreFront\Scripts\ImportModules.ps1"
- Run the following command:
Set-DSClaimFactoryName -siteId 1 -virtualPath /Citrix/Authentication -factoryName "FASClaimsFactory"
- Run the following command. Adjust the store name as required.
Set-DSVdaLogonDataProviderName -SiteId 1 -VirtualPath /Citrix/Store -VdaLogonDataProviderName "FASLogonDataProvider"
- If you have multiple StoreFront servers, Propagate Changes.
- On a Delivery Controller, run the following commands:
asnp citrix.* Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $true
- On the Federated Authentication Service server, browse to C:\Program Files\Citrix\Federated Authentication Service\PolicyDefinitions. Copy the file and folder.
![]()
- Go to \\domain.com\SYSVOL\domain.com\Policies\PolicyDefinitions and paste the file and folder. If this path doesn’t exist, then copy them to C:\Windows\PolicyDefinitions.
![]()
- Edit a GPO that applies to all StoreFront servers, all Federated Authentication Service servers, and all VDAs.
- Navigate to Computer Configuration > Policies > Administrative Templates > Citrix Components > Authentication.
- Edit the setting Federated Authentication Service.
![]()
- Enable the setting and click Show.
![]()
- Enter the FQDN of the Federated Authentication Service server.
- Click OK twice.
![]()
- On the Federated Authentication Service server, run gpupdate.
![]()
- From the Start Menu, run Citrix Federated Authentication Service as administrator. Make sure you run it elevated.
![]()
- The Federated Authentication Service FQDN should already be in the list (from group policy). Click OK.
![]()
- In Step 1: Deploy certificate templates, click Start.
![]()
- Click OK to add certificate templates to Active Directory. Sufficient permission is required.
![]()
- In Step 2: Setup Certificate Authority, click Start.
![]()
- Select a Certificate Authority to issue the certificates and click Ok.
![]()
- In Step 3: Authorize this Service, click Start.
![]()
- Select the issuing Certificate Authority and click OK.
![]()
- Go to the Certificate Authority Console > Pending Requests. Find the pending request and Issue it.
![]()
- In a minute or two, Federated Authentication Service will recognize the issued certificate and Step 3 will turn green.
![]()
- Switch to the User Rules tab.
- Use the Certificate Authority drop-down to select the issuing Certificate Authority.
- Use the Certificate Template drop-down to select the Citrix_SmartcardLogon template.
- Click Edit next to List of StoreFront servers that can use this rule.
![]()
- Remove Domain Computers from the top half and instead add your StoreFront servers. You could add an Active Directory security group instead of individual StoreFront servers.
- On the bottom half, make sure Assert Identity is Allowed. Click OK.
![]()
- By default, all users and all VDAs are allowed. You can click the other two Edit boxes to change this.
![]()
- When done, click Apply.
![]()
- Click OK when Rule updated successfully.
![]()
- To further restrict who can be issued certificates, go to your Certificate Authority’s Properties and use the Enrollment Agents tab to restrict enrollment agents.
![]()
![]()
SAML on NetScaler Gateway
- Export the signing certificate from your SAML iDP.
![]()
- Import the SAML signing certificate (without private key) to NetScaler. NetScaler uses this certificate to sign the SAML authentication request.
![]()
![]()
- Import a certificate with private key for SAML assertion verification. You’ll also need to import this certificate (without private key) on your SAML iDP. The SAML iDP will use this certificate to sign the SAML assertions. NetScaler will then use the private key to verify the SAML signatures.
![]()
- Go to NetScaler Gateway > Policies > Authentication > SAML > Servers and click Add.
![]()
- Enter the information for authenticating with SAML. This configuration will vary depending on your SAML iDP.
- Select the SAML iDP’s certificate that NetScaler will use to sign SAML authentication requests.
- Enter the URL to the SAML iDP’s authentication page. NetScaler Gateway will redirect users to this URL.
- Select the certificate that the SAML iDP will use to sign SAML assertions. NetScaler uses the private key to verify the signature.
- Enter an Issuer Name that the SAML iDP is expecting for the Relying Party.
- Click Create when done.
![]()
- On the right, switch to the Policies tab and click Add.
![]()
- Give the policy a name, select the SAML Server, and enter ns_true for the expression. Click Create.
![]()
- Edit your Session Policy/Profile. On the Published Applications tab, make sure Single Sign-on Domain is not configured.
![]()
- Edit your Gateway Virtual Server. Go to the Authentication section and add a policy.
![]()
- Bind the SAML policy. This is the only authentication policy you need. You can remove all other authentication policies.
![]()
- In StoreFront 3.6, right-click the store and click Manage Authentication Methods.
![]()
- Make sure Pass-through from NetScaler Gateway is selected.
- Click the gear icon on the right and click Configure Delegated Authentication.
![]()
- Check the box next to Fully delegate credential validation to NetScaler Gateway and click OK.
![]()
- In StoreFront, add a NetScaler Gateway object that matches the NetScaler Gateway Virtual Server that has SAML enabled.
![]()
- On the Authentication Settings page, make sure you configure a Callback URL. It won’t work without it.
![]()
- Then assign (Configure Remote Access Settings) the Gateway to your Store.
![]()
