Jump to content
Welcome to our new Citrix community!

Storefront on-prem SSO from roaming AAD-Joined device

David Inglis1709162342

Recommended Posts

I have external users working through gateway using SAML/AAD/MFA from AAD-joined devices, works great.  Devices are provisioned remotely using Autopilot/Intune, workspace app is configured and store discovery works great, using SAML AAD/MFA.  Seamless and sweet.


When these devices roam back on-prem, they find the internal beacon and go straight to storefront and they struggle as currently the store used by the Gateway vserver is set to only auth using gateway passthrough.  I have tried adding Domain Passthrough but that did not work - being AADJ these devices are not domain members but i hoped, being based on IIS, storefront would work with the AAD PRT mechanism, but it seems not.  Error i get is 'No Logon Methods'.


Ideally we want these AADJ devices to be able to roam off- and on-prem and seamlessly auth in and launch their apps/desktops, like a domain-joined device would.  How this is achieved doesn't matter as long as the end-user experience is slick.


According to Carl at https://www.carlstalhood.com/citrix-federated-authentication-service-saml/#samlstorefront, if i set Storefront SAML auth in addition to the Gateway passthrough, it will 'override passthrough auth' - i'm guessing that includes the gateway passthrough?


Any suggestions on how i can configure this?





Link to comment
Share on other sites

OK so testing this seems to show that the store can have both 'passthrough from gateway' with full delegation, AND the store's own SAML authentication configured to point directly to AAD, resulting in the desired outcome - internal traffic from CWA/Browser is auth'd by SF using the SAML method directly to AAD (from an AAD-joined device with Conditional Access configured appropriately, this results in SSO to storefront (and then FAS SSO to the VDAs)), while external traffic through the gateway is dealt with there and delegated to storefront as normal.




  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...