Multi-tenant SAML with Citrix FAS

[Joost Sannen]

We have this webapp which uses Office 365 as IDP. We successfully configured Citrix FAS. Within the webapp the user can click an icon. This icon represents a published desktop or application. SAML and Citrix FAS is used and the user can successfully use the corresponding published desktop or application. The user does not have to logon to the Access Gateway, all is seamless without user interaction.

 

Now the webapp is also used by several other customers with each an Office 365 tenant. We want to use the same Access Gateway for all these customers. 

 

Currently we have the Access Gateway setup with one Authentication SAML Policy (true) and a Authenticaiton SAML Server with a Redirect URL to the Office 365 tenant of one customer.

 

Our thoughts currently are with SAML attributes. But we can't use a SAML attribute inside an expression in the Authentication SAML Policy to go to the proper Authentication SAML Server for the specific customer. How can we achieve a multi-tenant use of this setup? Is it possible?

[Joost Sannen]

1. Carefully looking at the flow between SP and IDP it looks like this is not option. There is no SAML assertion to extract at first. The Access Gateway sends you first to the IDP.
2. Looked at a rewrite rule. Also no option because of authentication is being done before rewrite according to the processing order (https://docs.citrix.com/en-us/netscaler/12/getting-started-with-netscaler.html#processing-order-of-features)
3. Is content switching possible? Based on a part of the URL it sends you to the Access Gateway for the customer. You do need 1 Access Gateway for each customer but it does not have to be publicly available. We did not got it to work.

 

But we have found a solution. Read below.

[Joost Sannen]

Finally got it to work! This is how we dit it.

 

Each customer has a DNS CNAME record saml-[customer shortcode].company.com to saml.company.com. That way we can use 1 wildcard certificate which is good for this purpose. We use 1 Access Gateway saml.company.com and for each customer we have a SAML policy with the expression REQ.HTTP.HEADER Host == 'saml-[customer shortcode].company.com'. At Storefront we use one store with a NetScaler gateway (yes, again to use saml-[customer shortcode].company.com) for each customer.

 

Most important question is that a Authentication SAML Policy will not be available in upcoming version 13.1 . Do you have a way to do the same with Advanced Policies?