Configure NetScaler Gateway SAML to Google with Citrix Federated Authentication
Prerequisites
| Description | |
| * | Citrix FAS Service installation |
| * | XA/XD 7.6 or newer |
| * | StoreFront 3.6 or newer (I’ve tested with 3.9) |
| * | SAML Provider acting as the iDP (Google in this instance) |
| * | NetScaler Gateway configured as the SAML Service Provider (SP) |
| * | Active Directory Certificate Services |
| * | Access to edit Windows GPOS and OUs to assign the CFAS service its service location |
Install The Citrix Federated Authentication Service (CFAS)
| Step | Description | Screenshot |
| Mount the XA/XD ISO on your server and select the Federated Authentication Service |  |
|
| Read the license agreement and make your choice | ||
| Click Next |  |
|
| Click Next |  |
|
| Click Install |  |
|
| Click Finish |  |
|
| Create the GPO to point the FAS server to itself (see step 9)
When the GPO exists the ‘address’ field will be filled in for you automatically |
 |
|
| Copy the Citrix ADMX files from C:\Program Files\Citrix\Federated Authentication to Active Directory
c:\windows\policydefinitions Service\PolicyDefinitions |
to
|
|
| Edit group policy to have the server point to itself for FAS
open gpmc.msc browse to Computer > Administrative Templates: Policy> Citrix Components > Authentication Enter the DNS server address of the server hosting the FAS service (as per screenshot) Note: the VDA(s), the StoreFront and the FAS server all need to have this policy applied |
 |
|
| run gpupdate /force | ||
| Right click the CFAS Administration console and always Run As Administrator |  |
|
| You should now have the CFAS server listed
Click OK |
 |
|
| Click on Step 1 – Start Button |  |
|
| Click OK |  |
|
| You can verify the creation of the templates in ADCS |  |
|
| Once this is completed without errors click Start on Step 2 |  |
|
| Click OK |  |
|
| Finally click Start on Step 3 |  |
|
| Click OK |  |
|
| The console is waiting for the request to be approved (issued) from the AD Certificate Services |  |
|
| Log into the ADCS and Approve the pending Certificate request
Right click the Pending request Select All Tasks Select Issue |
 |
|
| Step 3 will go green |  |
|
| Click the User Rules tab and configure CA, CT and Access Control Lists if appropriate |  |
|
| Click Edit and Add the StoreFront Server to be able to use the ‘rule’
Remove domain computers as they will be set to ‘deny’ |
|
|
| Click Apply |  |
Create NetScaler SAML Policy to 3rd Party iDP (Google)
In this section we will create a new SAML Policy for the NetScaler to use Google as the SAML iDP.
Note: this cannot currently be bound to a Gateway when using the NetScaler RFWebUI ‘theme’.
| Step | Description | Screenshot |
| Connect to admin.google.com | ||
| Click Apps |  |
|
| Click SAML Apps |  |
|
| Click the + to add a new SAML Application |  |
|
| Select Setup my own custom app |  |
|
| Take note of the IDP data you are provided and copy and paste your URL
Be sure to DOWNLOAD the Certificate and save this for uploading to the NetScaler later. |
 |
|
| Describe your new app |  |
|
| Note: the default ACS URL for the NetScalers must have a trailing /cgi/samlauth |  |
|
| Click Finish | 
|
|
| Summary of the App SSO Setup in the Google admin panel |  |
|
| Be sure to enable the new Application
click the three dots … Select ON for everyone Note: this new configuration will take up to 24 hours to be available. Prior to this being ready you may get a ‘user not found’ message. |
|
|
| Note: users will have access to a shortcut to this new app in their Google Console |  |
|
| Upload the Google IDP Certificate to the NetScaler |  |
|
| Install the CA Certificate |  |
|
| Here you can see the certificate installed as another CA Certificate |  |
|
| Expand NetScaler > Security>AAA – Application Traffic>Policies>Authentication>Basic Policies>SAML>Policies>Servers
Enter appropriate details for your new SAML profile Note: the redirect URL and Single Logout URL will be unique to your Google account |
 |
|
| Create a new SAML Authentication Policy
set the expression of this policy to ns_true Link that to the newly created Google SAML Server |
 |
|
| Bind this policy to your NetScaler Gateway
Click the + against Basic Authentication Note: You may need to remove other Authentication policies (like LDAP) from the bound authentication before adding the SAML policy as the Primary method. |
 |
|
| Choose SAML
Choose Primary Click Continue |
 |
|
| Select the SAML binding |  |
|
| Edit the NetScaler Gateway Session Profile (Session Server) and blank the Single Sign On Domain field
NetScaler Gateway > Click Session Policies |
|
|
| Select the policy and edit the profile |  |
|
| Ensure Single Sign-on Domain is empty |  |
|
| Ensure your google email matches your AD User Logon Name |  |
|
| If not you can add a new UPN for the domain from Active Directory Domains and Trusts |  |
|
| Add any Additional UPN suffix you may require to match your google email sign-in |  |
Configure StoreFront to Delegate Authentication to NetScaler
| Step | Description | Screenshot |
| Open Citrix Studio or StoreFront management | ||
| Select your Store and left click Manage Authentication Methods |  |
|
| Click Passthrough from NetScaler Gateway > Configure Delegated Authentication |  |
|
| Click OK |  |
|
| Note: You will need to trust requests sent to the DDC XML Ports for all DDC Servers.
RDP to each Delivery Controller as a Citrix or local administrator Open Powershell type ‘asnp Citrix*’ type ‘Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $true’ |
Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $true |
|
| Note: You can verify if this was successful by running get-brokersite |  |
If you want to learn more about Citrix NetScaler check out our online NetScaler course at www.mastersof.cloud
Sign-up to the Mastersof.cloud mailing list below to receive a free 200 page Citrix NetScaler Introduction guide!
[mc4wp_form id=”2763″]
