Jump to content
Welcome to our new Citrix community!

Netscaler SAML authentication

Recommended Posts

Hello all,


Scenario what I have:

- the Netscaler Gateway (with ICA proxy) is configured with SAML authentication where Azure MFA is as Identity Provider. So by another words: the users are accessing Netscaler Gateway URL, after which they are redirecting to Azure MFA service for authentication. After successful authentication they are getting back to Netscaler Gateway, so they can see Storefront web with enumerated applications/publications.

There are more domains, where two way trust is configured among them. Citrix servers are in some domain "A", but the users are from another domains "B", "C",...

- all that above works until now.



- but then, when the users click on an application/desktop, they are prompted for windows logon again. SSO into the application does not work.

After some investigation it looks like the domain username is sent to ICA session only without domain, which is a problem, because the Citrix XenApp does not know the domain which should be used to authenticate the users.

Is it possible anyhow to determine or specify, what domain attribute (like sAMAccountName or userPrincipalName) will be used for single sign on after the user launches published Desktop or app? When LDAP policy would be used, then it is simple, but how to set it up when SAML is used?


What I tried:

- I configured secondary LDAP with "Authentication" disabled - did not help

- I configure LDAP with "Authentication" disabled as Primary policy together with SAML at the end - did not help

- I configured attributes in SAML server cofniguration, but that did not help either


Thanks for each advice.

Link to comment
Share on other sites

  • 1 month later...

... just to finish that topic:

- finally it was not an issue as such. The situation is simple, however that information could not be clearly found anywhere in Citrix doc: the "Single Sign On" does not work between/from the Netscaler and/to VDA (or published desktop/app), when the NS is configured as SAML Service Provider.

Maybe many people know that, but I did not. I believed that the Netscaler should obtain username and password from IdP for SSO to Storefront, but now I see that the NS obtains just username, which is enough for Storefront SSO - does not need the password.


So solution for me is to install Citrix FAS to enable SSO from Netscaler to VDA / published apps, desktop.


NOTE: anyway: thanks to Carl, who pointed me out to that idea.

  • Like 1
Link to comment
Share on other sites

  • 10 months later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...