Jump to content
Welcome to our new Citrix community!

Citrix Gateway and published application shortcuts


Recommended Posts

Hello,

I'm trying to incorporate Citrix published application shortcuts in our own website, completely separate from Citrix infrastructure ( it is a landing page with web apps mixed with Citrix published applications).

 

Is there a way to launch published applications through NetScaler Citrix Gateway 12.1 ?  Citrix Virtual Apps / StoreFront version is 1912.

 

The Gateway is configured with SAML authentication profile connecting to our own implementation of SAML IdP which works ok.  FAS has been implemented per Citrix documentation.

 

I can make it work by doing the following:

 

1.  Enter published application shortcut into the web browser, Notepad-TEST as an example:

https://citrix.gateway.com/Citrix/StoreWeb/#/launch/Notepad-TEST/e8tt64FgyEIdofnL7%2BE8PSUi%2F8MHNNiWB22d%2F%23334432ksdVUFULUhTTUFJTg%3D%3D

 

2.  Gateway redirects to SAML, I enter credentials, IdP redirects back to gateway but URL changes to StoreFront store URL with all stripped after "#":   https://citrix.gateway.com/Citrix/StoreWeb.  At this point user is presented with StoreFront listing all applications the user is authorized to access. 

 

3.  Enter shortcut full URL again into the same browser tab, hit F5 and Notepad-TEST application starts as expected.

 

Any idea if there is a way to start the application through Gateway immediately after successful SAML authentication and redirect to StoreFront ?

If I replace Citrix Gateway URL with internal storefront url, the published application starts immediately after successful StoreFront authentication, example:  https://storefront-url_here/Citrix/StoreWeb/#/launch/Notepad-TEST/e8tt64FgyEIdofnL7%2BE8PSUi%2F8MHNNiWB22d%2F%23334432ksdVUFULUhTTUFJTg%3D%3D

 

You can get list of published apps shortcuts via API call:    https://storefront-url_here/Citrix/StoreWeb//default.html/mode/view-appshortcuts

 

We can leave security concerns out of this topic for now.

 

Thank you

Link to comment
Share on other sites

I think, that won't work.
 

That's the way, normal StoreFront /gateway communicatoion works:

  1. A user logs on to gateway, gateway forwards credentials to StoreFront, StoreFront authenticates to the Delivery Controller and retrieves the list of applications.
  2. The user clicks an application. The request gets forwarded via gateway and StoreFront to the Delivery Controller. The Delivery Controler returns the IP to StoreFront
    That's where your problems start: StoreFront now stores the IP address in the STA, and creates an ICA file. This ICA file contains the STA ticket, which is valid for a very short time.
  3. the client receives the ICA file, it's opened by the WorkSpace App. The WorkSpace App connects to gateway via SSL, sends the STA-ticket. The Gateway retrieves the IP address from the STA and directly connects to the IP (VDA)

So STA tickets files can't survive for long, so ICA files don't live for long. You could find a detailled description of the procedure here.

 

What you could do:

Embed StoreFront in an iFrame in your web-page. That way, it would "look like a part of your web-page", however, it is not.

 

Greetings

 

Johannes Norz

CTA, CCI, CCE-N

 

My Citrix ADC / NetScaler test environment

Link to comment
Share on other sites

Johannes Norz, thanks for that.  This is really good blog explaining gateway flow.  Always something new to learn, I didn't know logon ticket is called NFuse ticket. 

 

As for iFrame, we've tried it already but it requires Access-Control-Allow-Headers, Access-Control-Allow-Origin and Access-Control-Allow-Credentials headers.  Unfortunately, no matter what  NetScaler will not insert such headers into responses, even though my rewrite policies get hits as expected.  It appears Citrix is doing it on purpose, for security reasons, which makes sense.  Apparently there is way to modify NetScaler scripts to disable such protection but that's too much tampering with security, imho. 

 

The fact that I can launch apps by re-inserting shortcut URL and refreshing tells me my configuration is ok regarding  StroeFront, STAs, FAS, etc.   

Just don't understand why the shortcut URI gets stripped.  This is why after successful authentication I'm getting to StoreFront instead of application launching. 

Link to comment
Share on other sites

  • 1 year later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...