Jump to content
Welcome to our new Citrix community!
  • 0

Virtual Apps and Desktops Authentication


James Greenough

Question

I have a Citrix env - 1912ltsrcu5 sat behind a netscaler 13.1.x - 100's of different customers login using domain\username and password for their published app

 

forget about licensing at the moment, Is it technically possible to offer SSO to these customers aka lots of different IDP's accessing this setup - AKA customers with their own AzureAD, or azure B2c or Okta, or other OpenID/saml offerings

 

Thanks

James

Link to comment

3 answers to this question

Recommended Posts

  • 0

If your local AD has accounts with UPNs that match the email addresses provided by the IdPs, then FAS can do SSON. You'd probably need to add a bunch of UPN suffixes to your AD forest. 

 

Another option is to ask the IdPs to send back a custom attribute that contains a value that matches the UPN of a local AD account. Or you can configure a Traffic Policy on NetScaler to craft UPN usernames based on an expression.

Link to comment
  • 0

thanks for the above

 

can you point me in the direction of any articles either citrix or from your website that can  expand on those options

 

just to clarify the FAS option does that need the below or am i misunderstanding it

 

To configure FAS with third-party hosted VDAs, a two-way trust is required. The third-party hosted forest must trust the customer forest for a customer account to log on to a VDA in that hosted forest.

 

James

Edited by James Greenough
additional question
Link to comment
  • 0

Local accounts are sometimes called shadow accounts. https://www.carlstalhood.com/citrix-federated-authentication-service-saml/#activedirectory

 

Traffic Policies are an advanced configuration that is highly specific to your environment. Use them to manipulate the username so it matches the UPNs in your shadow accounts. https://docs.netscaler.com/en-us/citrix-gateway/current-release/vpn-user-config/traffic-policies.html

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...