its synced to data centres A through C e.t.c) enabling access to any type of app fronted by NetScaler Unified Gateway working inline with FAS. Utilising the Federation Authentication Service or FAS for short which is part of XenApp and XenDesktop (see feature matrix – ) in-line with NetScaler UG enables organisations to solve numerous problems about identity (where is lives vs. ShareFile can help in solving your data mobilisation problems which I will follow up in a separate blog article in the future to expand upon this, but for now back to SAML and Identity. įor me as organisations begin shifting to a Cloud native or Cloud First (i prefer hybrid cloud) stratergy they begin too embrace PaaS e.g Citrix Cloud, Office 365 BUT a common major problem is where does the users identity live and do I need replicate it (read-only, passwd hashes e.t.c) and secondly mobilising of data repositories is another major requirement vs.
Wikipedia definition – and Google’s definiton –. NETSCALER UNIFIED GATEWAY – nug or netscaler ug SECURITY ASSERTION MARKUP LANGUAGE – saml The views expressed here are my own and do not necessarily reflect the views of Citrix. The views, opinions and concepts expressed are those by the author of this entry only and do not necessarily conform to industry descriptions or leading best practises. The credentials are sent via JSON with masked credentials.Īfterwards NetScaler sends the normal GET request for Receiver for Web UI.The following content is a brief and unofficial prerequisites guide to setup, configure and test accessing virtual apps and desktops authenticated via SAML IdP (Google OAuth) powered by XenApp & XenDesktop 7.14.1+ and NetScaler Unified Gateway 11.1 prior to deploying a PoC, Pilot or Production environment by the author of this entry. Once you click log on, the security logs of StoreFront show the new logon as below.Īt an HTTP level, NetScaler sends a POST to StoreFront.
The logon screen is rendered by NetScaler using RfWebUI or whichever theme you use. Now test logons by browing to the NetScaler Gateway URL. Click Create.īind the Authentication Profile to your NetScaler Gateway virtual server. Under Authentication Host enter anything. Next navigate to Security -> AAA – Application Traffic -> Authentication Profile -> Add.Įnter a name and choose your AAA vServer under Authentication Virtual Server. Select your StoreFront authentication policy and click Bind. Finish creating the AAA vServer. This is just to mark the Virtual Server as UP. The virtual server does need a certificate, but it can be any certificate. The server does not need an IP so use Non Addressable as the IP type and click OK. Enter an appropriate expression and click Create. Navigate to Security -> AAA – Application Traffic -> Policies -> Authentication -> Advanced Policies -> Authentication Policies -> Add.Įnter a name, choose Action Type StoreFrontAuth and use the drop-down to select your recently created StoreFront authentication action. For domain, enter your domain NETBIOS name. Click Retrieve Auth Enabled Stores and use the drop-down to select the specific Store you wish to use. To get started navigate to Security -> AAA – Application Traffic -> Policies -> Authentication -> Advanced Policies -> Actions -> StoreFrontAuth -> Add.Įnter a name and the URL to your StoreFront server.
Otherwise, for manual configuration read on. When running through the XenApp and XenDesktop or Unified Gateway wizards on NetScaler, you are presented with the option to automate configuration by checking Use this StoreFront for Authentication. NetScaler sends credentials to StoreFront in JSON format.
Impersonation is used by StoreFront to log on the user connecting through NetScaler Gateway. You must also have StoreFront 3.11 or above, and use Citrix Receiver 4.4 and above if not authenticating via Receiver for Web. To send authentication requests to StoreFront, we must use an AAA virtual server which requires NetScaler Enterprise licensing. As of NetScaler 12.0 build 51.24 authentication to NetScaler Gateway virtual servers can be performed by StoreFront rather than LDAP.