Jump to content
Welcome to our new Citrix community!
  • 0

Multiple SPs with SAML Authentication with Microsoft Azure




We have two CVAD environments (7.15 & 1912). Each has its own ADC Gateway configured on the same VPX NetScaler. 


1.  Currently, only the 7.15 environment is configured to use SAML based auth with Azure as IdP and ADC as SP. I have a basic  SAML policy configured on the Gateway as the primary and only authentication method.  I also have a Enterprise Application configured in Azure that corresponds to this. This works great and as expected. No issues.


2.  This is where the issue is. Currently, the 1912 environment is only using LDAP for authentication. I need to switch this 1912 Gateway to use SAML based authentication as well as the older environment. The problem is, I can not use the same Azure Enterprise Application because the Identifier or "Entity ID" is different. 


Is it possible to use a wildcard for the Identifier in Azure to allow it to work with both Gateways? so basically, the ADC will be my Service Provider for the two environments and one single Azure Enterprise App as the IdP to service both SPs. I am guessing not because also the Reply URL will have to be different. Otherwise, Azure will not know where to reply.


So this means that I will need to configure two separate Enterprise Applications in Azure for each SP/GW. Can the ADC actually be two distinct Service Providers (SPs)? is that functionality even supported?


I am looking for the best approach. When I try to add a second Enterprise Application in Azure to correspond to the 1912 GW, somehow it screws up the 7.15 authentication...



Link to comment

1 answer to this question

Recommended Posts

  • 0

I am answering my own question here and hope this may help someone in the future.

So yes, two separate Service Providers (SPs) on the ADC work just fine. I was able to configure SAML based authentication to Azure as the IdP for both GW vServers on the same ADC. 

One important thing to note is that that the Microsoft Azure Federated SSO Certificate that was used for the first SP cannot be reused for the 2nd one. They are completely different (different cert thumbprints) and  it seems like they are specifically designed to work for the exact Enterprise App they are downloaded from.


Another observation is that the "default entry" that Azure puts in the Single sign-on box #1 settings should be removed for the Identifier (Entity ID). After creating the new app, Microsoft is throwing something similar to this "http://adapplicationregistry.onmicrosoft.com/customappsso/primary" which is a default identifier. Adding the proper URL in the box below this did not help even though the default check box was checked. The correct URL should be entered on the very first line where the default identifier is (overwriting it).

  • Like 1
Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...