Jump to content
Welcome to our new Citrix community!

Citrix Receiver SAML Authentication with Netscaler and FAS


Recommended Posts

Hi All

 

I have configured FAS with ADFS for SAML login via Netscaler. I followed Carl's instructions at the following link.

https://www.carlstalhood.com/citrix-federated-authentication-service-saml/

 

Everything work fine with these configurations. But I could also see that Citrix Receiver SAML Authentication is only supported directly by Storefront without Netscaler.

 

Is it possible to configure Netscaler so that SAML Authencitcation works with Citrix Receiver? Or is that not supported by Citrix.

 

Thank you for any tips.

 

Best regards

Sedric

 

Link to comment
Share on other sites

10 hours ago, Carl Stalhood1709151912 said:

The newest versions of NetScaler and Workspace app should support web-based authentication. What versions are you trying?

 

Now I updated my environment.

 

Netscaler: NS12.1 48.13.nc

Citrix Receiver: 18.10.0.20023 (1810)

 

If I configure the account in Citrix Workspace App I am receiving the following error:

Your account cannot be added using this server address

Link to comment
Share on other sites

2 hours ago, Srikanth Challa said:

@Sedric -

 

I would first suggest to check if the same works with browser and see at wat step it breaks. The error which you are getting looks to be the initial URL stage and before the authentication. Also try using HTML 5 and see the behavior.

 

 

Hi Srikanth

 

With the browser I never had this problem. Also the HTML5 Receiver works fine. 

I am always facing this problem while entering the netscaler gateway adress when I add a new account in Citrix Receiver.

As you say already in the url stage and before authentication.

 

Link to comment
Share on other sites

  • 3 weeks later...
  • 1 month later...

You need to set the SAML policy as an Advanced policy ie nFactor. So sadly you can't use the basic SAML policy. Once you get that set up Receiver should direct to the auth page as expected.  Here's some guidance to help get you going, this is assuming the only auth method is AzureMFA i.e. no next factors.

1 - Enable AAA if not already enabled

2 - Unbind your basic SAML policies from the Gateway

3 - Create the non-addressable Auth vServer. Some reference commands below:

add authentication vserver NSG_CTXGW_VS_AAA SSL 0.0.0.0

4 - Bind cert to the AAA vServer (can be same cert as your gateway)

bind ssl vserver NSG_CTXGW_VS_AAA -certkeyName yourcertkeypair

5 - Create authentication profile (links to the AAA, you will bind this to your Gateway)

add authentication authnProfile nFactor_AuthProfile_CTXGW -authnVsName NSG_CTXGW_VS_AAA

6 - Harden the AAA vServer (TLS, DHKey, hardened ciphers, disable SSL and TLS1.1/1.0

7 - Add the advanced auth policy, note that you can link it to the AzureMFA profile you presumably made earlier. Update the profile name in the command below. Instead of the rule you can use true, my use case needed to support site-specific as well as GSLB URLs for auth so I added logic based on hostname for the SAML policies

add authentication Policy AzureMFA_CTXGW_AAA_Policy -rule "HTTP.REQ.HEADER(\"Host\").CONTAINS(\”citrix.yourdomain.com\”)” -action AzureMFA_Profile

8 - Bind the auth policy to the AAA vServer

bind authentication vserver NSG_CTXGW_VS_AAA -policy AzureMFA_CTXGW_AAA_Policy -priority 100 -gotoPriorityExpression NEXT

9 - Bind the authentication profile to the Gateway

10 - test both web and Worspace App auth

 

Also, be sure to configure this on your StoreFront servers to avoid SmartCard logon errors after StoreFront timeouts when logging in via Gateway. Will require clearing client browser cache once implemented and propagated though.

https://support.citrix.com/article/CTX227673

Link to comment
Share on other sites

  • 9 months later...
On 1/30/2019 at 6:56 PM, Michael Shuster1709152649 said:

You need to set the SAML policy as an Advanced policy ie nFactor. So sadly you can't use the basic SAML policy. Once you get that set up Receiver should direct to the auth page as expected.  Here's some guidance to help get you going, this is assuming the only auth method is AzureMFA i.e. no next factors.

1 - Enable AAA if not already enabled

2 - Unbind your basic SAML policies from the Gateway

3 - Create the non-addressable Auth vServer. Some reference commands below:

add authentication vserver NSG_CTXGW_VS_AAA SSL 0.0.0.0

4 - Bind cert to the AAA vServer (can be same cert as your gateway)

bind ssl vserver NSG_CTXGW_VS_AAA -certkeyName yourcertkeypair

5 - Create authentication profile (links to the AAA, you will bind this to your Gateway)

add authentication authnProfile nFactor_AuthProfile_CTXGW -authnVsName NSG_CTXGW_VS_AAA

6 - Harden the AAA vServer (TLS, DHKey, hardened ciphers, disable SSL and TLS1.1/1.0

7 - Add the advanced auth policy, note that you can link it to the AzureMFA profile you presumably made earlier. Update the profile name in the command below. Instead of the rule you can use true, my use case needed to support site-specific as well as GSLB URLs for auth so I added logic based on hostname for the SAML policies

add authentication Policy AzureMFA_CTXGW_AAA_Policy -rule "HTTP.REQ.HEADER(\"Host\").CONTAINS(\”citrix.yourdomain.com\”)” -action AzureMFA_Profile

8 - Bind the auth policy to the AAA vServer

bind authentication vserver NSG_CTXGW_VS_AAA -policy AzureMFA_CTXGW_AAA_Policy -priority 100 -gotoPriorityExpression NEXT

9 - Bind the authentication profile to the Gateway

10 - test both web and Worspace App auth

 

Also, be sure to configure this on your StoreFront servers to avoid SmartCard logon errors after StoreFront timeouts when logging in via Gateway. Will require clearing client browser cache once implemented and propagated though.

https://support.citrix.com/article/CTX227673

I switched to advanced policy, however Workspace client still gives your account cannot be added using the server address. Do you know if SAML authentication also needs to be configured on the StoreFront servers? The web client works fine with normal Netscaler SAML/SF FAS configuration. 

Link to comment
Share on other sites

  • 2 weeks later...
On 1/30/2019 at 6:56 PM, Michael Shuster1709152649 said:

You need to set the SAML policy as an Advanced policy ie nFactor. So sadly you can't use the basic SAML policy. Once you get that set up Receiver should direct to the auth page as expected.  Here's some guidance to help get you going, this is assuming the only auth method is AzureMFA i.e. no next factors.

1 - Enable AAA if not already enabled

2 - Unbind your basic SAML policies from the Gateway

3 - Create the non-addressable Auth vServer. Some reference commands below:

add authentication vserver NSG_CTXGW_VS_AAA SSL 0.0.0.0

4 - Bind cert to the AAA vServer (can be same cert as your gateway)

bind ssl vserver NSG_CTXGW_VS_AAA -certkeyName yourcertkeypair

5 - Create authentication profile (links to the AAA, you will bind this to your Gateway)

add authentication authnProfile nFactor_AuthProfile_CTXGW -authnVsName NSG_CTXGW_VS_AAA

6 - Harden the AAA vServer (TLS, DHKey, hardened ciphers, disable SSL and TLS1.1/1.0

7 - Add the advanced auth policy, note that you can link it to the AzureMFA profile you presumably made earlier. Update the profile name in the command below. Instead of the rule you can use true, my use case needed to support site-specific as well as GSLB URLs for auth so I added logic based on hostname for the SAML policies

add authentication Policy AzureMFA_CTXGW_AAA_Policy -rule "HTTP.REQ.HEADER(\"Host\").CONTAINS(\”citrix.yourdomain.com\”)” -action AzureMFA_Profile

8 - Bind the auth policy to the AAA vServer

bind authentication vserver NSG_CTXGW_VS_AAA -policy AzureMFA_CTXGW_AAA_Policy -priority 100 -gotoPriorityExpression NEXT

9 - Bind the authentication profile to the Gateway

10 - test both web and Worspace App auth

 

Also, be sure to configure this on your StoreFront servers to avoid SmartCard logon errors after StoreFront timeouts when logging in via Gateway. Will require clearing client browser cache once implemented and propagated though.

https://support.citrix.com/article/CTX227673

 

I had this exact issue, followed these steps, and can confirm it is working now.

 

NetScaler Version: NS12.1 52.15.nc

Workspace Version: 19.9.0.21

 

Thanks!

Link to comment
Share on other sites

From my testing (Netscaler 12.1 51.19):

 

- With nFactor, Workspace works as expected (Now Android/iOS apps do not work correctly - Must be a recent app update, all methods worked about 3 months ago!)

- Go back to SAML basic auth on the Netscaler GW VS and Android/iOS current apps work fine (Never worked previously without nFactor), but workspace (Testing with 1909, might try a few older versions) no longer operates

 

Is anyone else experiencing this?

 

 

Link to comment
Share on other sites

On 11/6/2019 at 11:52 AM, dpalchu521 said:

I switched to advanced policy, however Workspace client still gives your account cannot be added using the server address. Do you know if SAML authentication also needs to be configured on the StoreFront servers? The web client works fine with normal Netscaler SAML/SF FAS configuration. 

 

 

12.1 upgrade fixed the issue with Citrix Workspace. 

Link to comment
Share on other sites

On 11/6/2019 at 11:52 AM, dpalchu521 said:

I switched to advanced policy, however Workspace client still gives your account cannot be added using the server address. Do you know if SAML authentication also needs to be configured on the StoreFront servers? The web client works fine with normal Netscaler SAML/SF FAS configuration. 

 

duplicate

Link to comment
Share on other sites

  • 2 weeks later...
On 11/20/2019 at 10:07 PM, ScubaMiike said:

From my testing (Netscaler 12.1 51.19):

 

- With nFactor, Workspace works as expected (Now Android/iOS apps do not work correctly - Must be a recent app update, all methods worked about 3 months ago!)

- Go back to SAML basic auth on the Netscaler GW VS and Android/iOS current apps work fine (Never worked previously without nFactor), but workspace (Testing with 1909, might try a few older versions) no longer operates

 

Is anyone else experiencing this?

 

 

I found the workaround for IOS client. You need to configure connection manually and specify Web Interface as option - not Access Gateway.

 

Update: works on Android without any modifications - just setting up new connection with URL. 

Edited by dpalchu521
Link to comment
Share on other sites

  • 2 months later...
17 hours ago, David Liu1709157371 said:

Which version did you have the problem with? What full version of 12.1 did you upgrade to?

Came from one of the latest 11.1 versions (11.1 62.8 i think) and moved to 12.1 54.13. So I am guessing its entire 11.1 not specific release.

Link to comment
Share on other sites

  • 8 months later...

Hi all, I followed this guide to the letter: https://www.mycugc.org/blogs/ryan-gallier/2019/05/02/the-complete-guide-azuread-saml-authentication

 

Plus I've followed Michael Shuster's his post, and confirmed it's basically the same thing as in the guide.

 

Through the web site everything works great but using workspace app I always get: your account cannot be added using this server address. With the Workspace App for Android it gives me Error Code 548. I've double checked this: https://support.citrix.com/article/CTX250706

 

My Citrix Storefront has the same base URL as the Netscaler vserver.

 

I've been trying all day, keep getting the error.  I hope anybody has any clue.

 

Thanks!

 

Btw using Netscaler NS13.0 58.32.nc and Storefront 1912 LTSR CU1.

 

 

Edited by mkools
Link to comment
Share on other sites

  • 1 month later...
  • 4 weeks later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...