Jump to content
Welcome to our new Citrix community!
  • 0

Storefront on-prem SSO from roaming AAD-Joined device

David Inglis1709162342


I have external users working through gateway using SAML/AAD/MFA from AAD-joined devices, works great.  Devices are provisioned remotely using Autopilot/Intune, workspace app is configured and store discovery works great, using SAML AAD/MFA.  Seamless and sweet.


When these devices roam back on-prem, they find the internal beacon and go straight to storefront and they struggle as currently the store used by the Gateway vserver is set to only auth using gateway passthrough.  I have tried adding Domain Passthrough but that did not work - being AADJ these devices are not domain members but i hoped, being based on IIS, storefront would work with the AAD PRT mechanism, but it seems not.  Error i get is 'No Logon Methods'.


Ideally we want these AADJ devices to be able to roam off- and on-prem and seamlessly auth in and launch their apps/desktops, like a domain-joined device would.  How this is achieved doesn't matter as long as the end-user experience is slick.


According to Carl at https://www.carlstalhood.com/citrix-federated-authentication-service-saml/#samlstorefront, if i set Storefront SAML auth in addition to the Gateway passthrough, it will 'override passthrough auth' - i'm guessing that includes the gateway passthrough?


Any suggestions on how i can configure this?





Link to comment

1 answer to this question

Recommended Posts

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...