Jump to content
Welcome to our new Citrix community!
  • 0

Move away from Windows Integrated Authentication in Citrix

Simon Bläsi


Hello all

Our Citrix setup is the following: we have Citrix Server version 7.1912 LTSR U1 and Citrix Receiver. We would like to move away from Windows Integrated Authentication in Citrix itself. For that purpose, either SAML or OAUTH2 / OpenID based JWT token authentication is foreseen (preferably OpenID Connect / OAUTH2.0). Both Citrix Server and Citrix Workspace should use OpenID / OAUTH2 based authentication.


We would like to avoid Windows Integrated Authentication the VDA machine where XenApp is deployed as the user exists in a different windows domain as the VDA host itself. Any domain trust is also needed to be avoided. Also, the user context should be passed, to avoid that the user needs to enter credentials multiple times.


Based on our knowledge, Citrix NetScaler supports that type of scenario with the NetScaler gateway. The Citrix Workspace / receiver would also support that scenario with any OpenID Connect / OAUTH2.0 capable IdP (e.g. AD FS)?


Would it be possible to achieve the same implementing by some custom FAS plugins / are there plugins available to support OpenID Connect / OAUTH2?


Thank you in advance for your help.

Link to comment

5 answers to this question

Recommended Posts

  • 0

ADC does support OIDC. ADC needs to extract the user's UPN from the JWT and forward it to StoreFront. StoreFront then uses the UPN to find a local Active Directory user that matches the UPN. When launching an icon, FAS generates a certificate for the UPN and uses the certificate to log into the VDA.


Citrix still requires Active Directory between StoreFront, Controller, and VDA. Ultimately all authentication between those components is based on the local Active Directory. 

Link to comment
  • 0

Thanks a lot for the detailed answer! It is clear, that the SAML response is validated and the IdP certificate is selected based on the thumbprint.

I would have one more question: You mentioned “When you setup SAML, you upload the IdP cert, or the IdP cert is retrieved from the SAML metadata XML file.” At configuration time, is the IdP cert itself stored on the Citrix Storefront machine (windows certificate store) or in the Citrix Storefront configuration database/files?


I am asking this question as I only see the IdP certificate thumbprint being saved in the Citrix Storefront configuration.

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...