Configuring Citrix FAS with shibboleth iDP

So the other I was invovled trying to get shibboleth SAML iDP to work with Citrix FAS, but for some reason the user authentication was never successful. When reviewing the the authentication tab in NetScaler I noticed that only the username from the iDP was being sent with the SAML assertion to the NetScaler, so when the NetScaler tries to forward this to Storefront to validate it couldn’t resolve the UPN therefore authentication failed.

So in order for Shibboleth to send the full UPN you need to adjust some customizations.

<s:samlContentSpecifications xmlns:s=””>

    <contentSpecification name=”name”

                          channelType=”office”

                          profileType=”saml2_”

                          signResponseWithKey=”signedcert”

                          includeCertificateInfo=”true”>

        <namespace name=””>

               <attribute name=”UserID”>

                <value>${officeUser.systemAccess:fddata.fdUserId}@domainname.com</value>

            </attribute>

So in the Content specification you need to specify the @domainname behind so when a SAML assertion is being forwarded to the NetScaler Gateway it will map it to an UPN instead of just the username.

Leave a Reply

Scroll to Top