A While back I blogged about setting up Citrix FAS and using NetScaler as a SAML iDP, which you can find here –> http://msandbu.org/setting-up-saml-authetication-for-netscaler-and-storefront-with-sso/ now I wanted to extend upon that and show how you can use Windows 10 Azure AD Join together with Citrix FAS and SAML to provide a full SSO option from when users log in to their desktops. They way that users trigger Citrix is by logging into a published Citrix Application from MyApps portal which is part of Azure Active Directory which points to a NetScaler Gateway which will trigger a SAML policy and log the user in.
The complete setup requires
* Published ADFS (Setup with a federated domain in Azure)
* Azure AD Connect
* Citrix FAS together with ADCS
* NetScaler Gateway with a SAML Policy
* Windows 10 with Azure AD Join
Note: I am not going to cover the setup of ADFS and FAS nor Azure AD Connect even though it is required part of the setup. Note however that when I configured this I did so without Smart Access enabled on Storefront since this generated an error when trying to login.
Part one: Setting up the published application in Azure AD
First you need to have Azure Active Directory available in your Azure Subscription. Note that you do not need a paid subscription in Azure AD to be able to use this option, the free option will suffice but it has some limitations when it comes to use of multiple applications and such.
Within the Azure management portal, go into Azure Active Directory –> Enterprise Applications –> All Applications –> Add
In the gallery list click on “All” –> Non-Gallery Applications, then you will need to provide the application with a name (Basically what the name that will appear within the Azure application portal)
After you have given it a name, go into single sign-on and choose SAML based sign-on
After you have done this you will get a list of new options. First of is the SSO Identifier
Identifier is just a name of the SAML SP sending a request. I just named it https://nsgw.msandbu.org in my case. It is important that the identifier is the same here as in the NetScaler SAML SP policy we are going to create later.
Next part is the Reply URL: Which is the URL where it will redirect too when a user click on the application inside the MyApps portal. Here you need to switch to your NetScaler Gateway FDQN and add /cgi/samlauth
Scroll a bit further down and enter the user identifier which in this case is the UPN which you need to choose from the dropdown list.
Next you will get some options when it comes to SSO. You will need to take note of the SAML Single-sign-on service URL and the Single-logout URL. Also download the Base64 bit encoded Certificate since this needs to be downloaded and imported into NetScaler Gateway as the IDP certificate.
So after you are done with this you have completed the configuration of the application. Final pieze is setting up user access and uploading a custom icon for instance.
Part two: Setting up the settings on NetScaler Gateway
Now that we are done with the configuration in Azure AD there are a couple of things we need to configure in NetScaler Gateway.
First of we need to upload the Certificate that we downloaded from Azure AD into NetScaler.
Secondly we need to have a NetScaler Gateway vServer configured, if we have any authentication options defined if we need to remove those and configure a SAML Authentication policy and bind it to the NetScaler Gateway.
From here go in a create a new SAML policy which can be using the expression ns_true and from there we need to define a SAML server. First part is choosing the iDP Certificate name which is the certificate we downloaded fom Azure AD. And we need to define the redirect URL and Single Logout URL which are the URL’s we got fom AzureAD.
Also important to set Issuer Name to the one we defined in Azure AD and scroll further down and define RSA-SHA256 and SHA256 if this is not defined it will not work.
After this is done you just need to attach the policy to the NetScaler Gateway.
Part three: Setup Azure AD Join on Windows 10 device
This can be done either using OOBE (Out of box experience) or done using System Settings in Windows 10 to the same domain that you have setup as part of Azure AD
Now by default the Azure AD Join works in IE and Microsoft EDGE, if you want to use it for Chrome as well you need to download the extension for access panel which you can find here –> https://chrome.google.com/webstore/detail/access-panel-extension/ggjhpefgjjfobnfoldnjipclpcfbgbhl
Now the end result of setting this up can be shown in the video below.
3 thoughts on “Setting up Citrix SSO with Windows 10 and Azure AD Join”
Nice Article Marius.
If I understood your example,a user from a third party domain is authenticated to Azure AD using a third party idp(eg:-netscaler,google,ping federate etc) and from Azure AD using “Azure idp” he is getting logged into NetScaler SP.
Can you please confirm if the above scenario is correct?
Hi, in this scenario. Azure AD is the iDP and NetScaler is acting as a SAML SP. FAS component in Citrix is converting the SAML Token to Certificate to replace the kerberos login.