Citrix Federated Authentication Service Integration with APM

Similar documents
APM Cookbook: Single Sign On (SSO) using Kerberos

Archived. Configuring a single-tenant BIG-IP Virtual Edition in the Cloud. Deployment Guide Document Version: 1.0. What is F5 iapp?

Configuring Smart Card Authentication to BIG IP Management Interface

One Time Passwords via an SMS Gateway with BIG IP Access Policy Manager

Webshells. Webshell Examples. How does a webshell attack work? Nir Zigler,

Addressing Security Loopholes of Third Party Browser Plug ins UPDATED FEBRUARY 2017

Deploying the BIG-IP System v11 with DNS Servers

F5 in AWS Part 3 Advanced Topologies and More on Highly Available Services

Archived. Deploying the BIG-IP LTM with IBM Cognos Insight. Deployment Guide Document version 1.0. What s inside: 2 Products and versions tested

IMPLEMENTING SINGLE SIGN-ON (SSO) TO KERBEROS CONSTRAINED DELEGATION AND HEADER-BASED APPS. VMware Identity Manager.

BIG IP APM: Max Sessions Per User Enable users to terminate a specified session

Deploying the BIG-IP System with Oracle Hyperion Applications

BIG IQ Reporting for Subscription and ELA Programs

Converting a Cisco ACE configuration file to F5 BIG IP Format

Deploying the BIG-IP System with CA SiteMinder

Deploying the BIG-IP LTM with IBM QRadar Logging

F5 and Nuage Networks Partnership Overview for Enterprises

v.10 - Working the GTM Command Line Interface

Okta Integration Guide for Web Access Management with F5 BIG-IP

Prompta volumus denique eam ei, mel autem

Secure Mobile Access to Corporate Applications

Deploying WAN-Optimized Acceleration for VMware vmotion Between Two BIG-IP Systems

Complying with PCI DSS 3.0

INTEGRATING OKTA: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL VMware Workspace ONE

Archived. h h Health monitoring of the Guardium S-TAP Collectors to ensure traffic is sent to a Collector that is actually up and available,

Improving VDI with Scalable Infrastructure

Geolocation and Application Delivery

Integrating VMware Workspace ONE with Okta. VMware Workspace ONE

VMware vcenter Site Recovery Manager

Server Virtualization Incentive Program

Enhancing VMware Horizon View with F5 Solutions

US FEDERAL: Enabling Kerberos for Smartcard Authentication to Apache.

About This Document 3. Overview 3. System Requirements 3. Installation & Setup 4

Azure MFA Integration with NetScaler

DESIGN GUIDE. VMware NSX for vsphere (NSX-v) and F5 BIG-IP Design Guide

RECOMMENDED DEPLOYMENT PRACTICES. The F5 and Okta Solution for High Security SSO

Document version: 1.0 What's inside: Products and versions tested Important:

Large FSI DDoS Protection Reference Architecture

VMWARE HORIZON CLOUD WITH VMWARE IDENTITY MANAGER QUICK START GUIDE WHITE PAPER MARCH 2018

Validating Microsoft Exchange 2010 on Cisco and NetApp FlexPod with the F5 BIG-IP System

Archived. Deploying the BIG-IP LTM with IBM Lotus inotes BIG-IP LTM , 10.1, 11.2, IBM Lotus inotes 8.5 (applies to 8.5.

Configuring and Delivering Salesforce as a managed application to XenMobile Users with NetScaler as the SAML IDP (Identity Provider)

Optimizing NetApp SnapMirror Data Replication with F5 BIG-IP WAN Optimization Manager

Configuring Confluence

Archived. For more information of IBM Maximo Asset Management system see:

Deploying the BIG-IP LTM with Oracle JD Edwards EnterpriseOne

Data Center Virtualization Q&A

SAML SSO Okta Identity Provider 2

Configuring Single Sign-on from the VMware Identity Manager Service to Marketo

Deploying a Next-Generation IPS Infrastructure

SAML-Based SSO Solution

Cloud Secure Integration with ADFS. Deployment Guide

APM Proxy with Workspace One

F5 BIG-IP Access Policy Manager: SAML IDP

O365 Solutions. Three Phase Approach. Page 1 34

Vulnerability Assessment with Application Security

Configuring the BIG-IP APM as a SAML 2.0 Identity Provider for Microsoft Office 365

AppScaler SSO Active Directory Guide

Agility 2018 Hands-on Lab Guide. VDI the F5 Way. F5 Networks, Inc.

Deploying a Next-Generation IPS Infrastructure

CONFIGURING AD FS AS A THIRD-PARTY IDP IN VMWARE IDENTITY MANAGER: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL VMware Workspace ONE

F5 iapps: Moving Application Delivery Beyond the Network

Load Balancing 101: Nuts and Bolts

The Programmable Network

Guide to Deploying NetScaler as an Active Directory Federation Services Proxy

Introduction to application management

Okta SAML Authentication with WatchGuard Access Portal. Integration Guide

OneLogin SAML Authentication with WatchGuard Access Portal. Integration Guide

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. Citrix NetScaler Gateway 12.0

Maintain Your F5 Solution with Fast, Reliable Support

Configuration Guide - Single-Sign On for OneDesk

VMware Identity Manager Administration

April Understanding Federated Single Sign-On (SSO) Process

App Orchestration 2.6

Enabling Long Distance Live Migration with F5 and VMware vmotion

WHITE PAPER. F5 and Cisco. Supercharging IT Operations with Full-Stack SDN

SAML-Based SSO Solution

Unified Contact Center Enterprise (UCCE) Single Sign On (SSO) Certificates and Configuration

Administering Workspace ONE in VMware Identity Manager Services with AirWatch. VMware AirWatch 9.1.1

Application and Data Security with F5 BIG-IP ASM and Oracle Database Firewall

The F5 Intelligent DNS Scale Reference Architecture

Meeting the Challenges of an HA Architecture for IBM WebSphere SIP

Integrating VMware Horizon Workspace and VMware Horizon View TECHNICAL WHITE PAPER

Protecting Against Online Banking Fraud with F5

VMware Workspace ONE Quick Configuration Guide. VMware AirWatch 9.1

Session Initiated Protocol (SIP): A Five-Function Protocol

Enhancing Exchange Mobile Device Security with the F5 BIG-IP Platform

1Y Citrix. Designing Deploying and Managing Citrix XenMobile 10 Enterprise Solutions

Setting Up Resources in VMware Identity Manager. VMware Identity Manager 2.8

Centrify for Dropbox Deployment Guide

Cookies, Sessions, and Persistence

Guide to Deploying VMware Workspace ONE. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager 3.1

Webthority can provide single sign-on to web applications using one of the following authentication methods:

Cloud Access Manager How to Configure for SSO to SAP NetWeaver using SAML 2.0

Securing the Cloud. White Paper by Peter Silva

Configuring Single Sign-on from the VMware Identity Manager Service to Trumba

Quick Start Guide for SAML SSO Access

Setting Up Resources in VMware Identity Manager

F5 Identity and Access Management Solution

Using Your Own Authentication System with ArcGIS Online. Cameron Kroeker and Gary Lee

Transcription:

Citrix Federated Authentication Service Integration with APM Graham Alderson, 2016-19-12 Introduction This guide will cover how to use APM as the access gateway in front of Storefront when using Citrix FAS. This will enable you to leverage authentication methods like SAML, Kerberos, or NTLM on the client side. Note that almost any auth method can be supported via Receiver for web, but Receiver self-service does not support some auth methods such as SAML. Deploy Citrix Federated Authentication Service Now you ll need to deploy Citrix Federated Authentication Service (FAS). Deployment of FAS is out of scope for this article, but as there are many parts I found the following guide from Carl Stalhood very helpful: http://www.carlstalhood.com/citrix-federated-authentication-service-saml. Ignore the section SAML on Netscaler Gateway since you re going to deploy APM instead, but don t miss that last section Configuring Storefront for SAML Gateway. When configuring Storefront anywhere it requests the Netscaler Access Gateway address you ll use the FQDN you intend to use for your virtual server on Big-IP (how users will access Storefront). Examples include the callback URL field when configuring the authentication and when configuring the Netscaler gateway. Before proceeding, you should be able to go direct to the Storefront server, log in, and be able to launch an application successfully. There can still be misconfigurations that prevent access through an access gateway, but you will have fewer areas left as problems. You must use an Enterprise CA, otherwise on the CA you will see pending certificates not getting approved automatically and you will be unable to launch apps. Also note that if you have previously made configuration modifications usually needed for earlier versions like Citrix 6.5, such as host file entries, those should be removed prior to proceeding. For correct operation of FAS, DNS needs to be setup properly which may include setting up PTR records. Create the SAML SP

In the Big-IP GUI go to Access Policy -> SAML -> Big-IP as SP and click create. You ll create an SP config and for the entity ID in the format https://my-vs-fqdn.domain.com. All the rest can be left default. Now you ll need to setup your IdP Connector. This could be another Big-IP APM, ADFS, Okta, or any other IdP service. You can import the metadata if available or you can manually configure it. Configuring the IdP connector is out of scope for this article, but after configuring it, you ll select your SP and click the Bind/Unbind IdP Connectors button, Add New Row, select it from the drop down as the SAML IdP Connector, then click Update, OK. Note that you can bind multiple IdP connectors here if there are multiple IdPs. You need to set a matching source (variable) and the matching value that should cause use of that IdP. A common solution might be % {session.server.landinguri} for the source and /customer1 for the matching value to go to customer 1 s IdP. Now you ll see this on the SP configuration page. Your IdP should be setup to send either the user s userprincipalname or samaccountname as the NameID. This should match either the userprincipalname or samaccountname of the user account in the AD domain used by Citrix that you want the user logged in as. Carl Stalhood s guide linked above provides an example configuring the ADFS IdP and he is using userprincipalname. Note that if you decide to use alternate UPNs (not matching your AD domain name) for your users you will also need to enable those domains in Trusted Domains on your Storefront server. Deploy the iapp

Now we can move on to deploying APM as your access gateway. First, deploy the latest iapp. At the time of writing this article, that s version 2.4.0. When deploying the iapp you ll need to answer the following questions as shown: You ll need to specify your STA servers: Finally, pay special attention to the DNS name you re going to have clients use. This should be the same as you used in the Citrix Storefront configuration earlier and the SAML configuration later. This is how users are going to access the deployment. Now you have the iapp for Citrix deployed, but it s using the default forms based authentication. You need to customize the authentication method. This guide will help you deploy SAML authentication, but as mentioned you could use NTLM, Kerberos, or another authentication method. Before proceeding you need to verify that the certificate you ve selected is valid. If it is not, SSO will fail when Storefront tries to callback to the virtual server and the user will get the error Cannot Complete Your Request. You can browse to the FQDN you entered from the Storefront server to make sure you don t get certificate errors. Normally you would use a publicly signed certificate and that will work fine (but don t forget the chain). If it s an internally signed certificate, your Storefront server needs to trust it as well. Modify the iapp s APM Policy By default the policy looks like this: We need to modify it to look like this:

To modify the policy you will need to turn off strict updates on the iapp: Note that in this case we aren t modifying the Receiver branch because Receiver doesn t support SAML authentication. You could just change it to deny receiver clients if desired. First remove the Logon Page, AD Authentication, and SSO Credential Mapping objects from the Browser branch. Next add a SAML Auth object right before the Session Variable Assign object (plus sign, Authentication tab, SAML Auth). Select the SP you configured earlier. Next, open the Session Variable Assign. You need to add a new entry, and set session.logon.last.username to equal the session variable session.saml.last.nameidvalue. Notice that the domain and sta_servers variables were set here already, those were done by the iapp.

Here is what creating that looks like: Now your policy should look like the one above. Be sure to click Apply Policy in the top left. Test

And finally you should be able to browse to the FQDN of your new virtual server, be redirected to your SAML IdP for authentication, then get redirected back and SSO ed in to your Citrix environment. You should be able to see the Storefront catalog and launch an application Updates 12/21/2016 - Removed an irule that is not needed for SSO to function properly in a complete deployment F5 Networks, Inc. 401 Elliot Avenue West, Seattle, WA 98119 888-882-4447 f5.com F5 Networks, Inc. Corporate Headquarters info@f5.com F5 Networks Asia-Pacific apacinfo@f5.com F5 Networks Ltd. Europe/Middle-East/Africa emeainfo@f5.com F5 Networks Japan K.K. f5j-info@f5.com 2018 F5 Networks, Inc. All rights reserved. F5, F5 Networks, and the F5 logo are trademarks of F5 Networks, Inc. in the U.S. and in certain other countries. Other F5 trademarks are identified at f5.com. Any other products, services, or company names referenced herein may be trademarks of their respective owners with no endorsement or affiliation, express or implied, claimed by F5. CS04-00015 0113

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback