Jump to content
Welcome to our new Citrix community!

Citrix ADC as SAML Idp for SAP FIORI SP


Andre Schreiber

Recommended Posts

Hi folks,

 

is there any guide for using Citrix ADC 13 as an SAML Idp for a SAP FIORI Backend? 

Anyone got this running? 

I'm stuck at the following Point: 

Currently my SAP Fiori Webservice redirects me to the authentication vServer on ADC, but after successful authentication, I end up in my Storefront :-)

Can i share one AAA-vServer for Authentication for Webfrontends like OWA or SAP Fiori and for Citrix Gateway vServer?

 

Any hints on this?

 

okay i just found out my Authentication Virtual Server is non-adressable. The SAML URL i configured in the "trusted Providers" in SAP FIORI is the URL of the Citrix Gateway (which, of course, shows up with the Authentication vServer). So this is not working. Do i need a public accessable Authentication vServer? Can I manage this over the public Traffic Management Server IP?

 

 

Link to comment
Share on other sites

  • 3 weeks later...

I resolved my issue with a seperate URL for authentication only: https://auth.public-domain.com

 

but how can i use this domain for my Citrix Storefront services, too. (with example domain "hhtps://ctx.public-domain.com") I want to achieve, that the users will only have to authenticate once. 

 

And another question: I want to achieve, that the user authenticates first. Even before he gets switched to the Web-Server which again redirects the user to the authentication domain (with SAML Profile).

An allready authenticated user should get redirected to authentication Website, and hits back immediately with his SAML token. 

 

Any Idea?

I know, it's hard to follow :-)

Thank you anyway.

Link to comment
Share on other sites

On 3/4/2020 at 4:01 PM, Andre Schreiber said:

I resolved my issue with a seperate URL for authentication only: https://auth.public-domain.com

 

but how can i use this domain for my Citrix Storefront services, too. (with example domain "hhtps://ctx.public-domain.com") I want to achieve, that the users will only have to authenticate once. 

 

And another question: I want to achieve, that the user authenticates first. Even before he gets switched to the Web-Server which again redirects the user to the authentication domain (with SAML Profile).

An allready authenticated user should get redirected to authentication Website, and hits back immediately with his SAML token. 

 

Any Idea?

I know, it's hard to follow :-)

Thank you anyway.

 

You mean that the user can see the original webserver FQDN for 1 second and than gets redirected to your aaa saml URL, authenticates and get back redirected to your webserver fqdn? Microsoft ADFS is doing the same, I think this needs to be done to request the SAML token so your SAML idP knows from which webserver the request comes from.

 

Only alternative would be to work with unified gateway so you create a citrix gateway which acts in clientless access mode so there is a landing page which shows bookmarks to other webservices. If you click on it, you are already logged in because first step is to authenticate at your gateway. 

 

Regards

Julian

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...