Citrix Federated Authentication Service (SAML) 1811

Last Modified: Dec 15, 2018 @ 12:01 pm

Navigation

This article applies to Federated Authentication Service (FAS) versions 1811, 1808, 7.15.3000 (LTSR), and all other versions 7.9 and newer.

Change Log

Overview

Citrix Federated Authentication Service (FAS) enables users to login to Citrix Gateway and StoreFront using SAML authentication.

With SAML, Citrix Gateway and StoreFront do not have access to the user’s password and thus cannot perform single sign-on to the VDA. FAS works around this limitation by using issuing certificates that can be used to logon to the VDA.

  • StoreFront asks Citrix Federated Authentication Service (FAS) to use a Microsoft Certificate Authority to issue Smart Card certificates on behalf of users.
  • The VDA requests the user’s certificate from FAS so it can complete the VDA Windows logon process.

FAS can be used for any authentication scenario where the user’s password is not provided.

Requirements:

  • Microsoft Certificate Authority in Enterprise mode
  • Citrix Virtual Apps and Desktops or XenApp/XenDesktop 7.9 or newer
  • StoreFront 3.6 or newer
  • NetScaler Gateway. Note: StoreFront 3.9 and newer also supports SAML authentication natively without NetScaler.
  • Receiver for Web only.
  • Receiver Self-Service for Windows 4.6 and newer supports SAML auth when connecting to StoreFront native SAML without NetScaler.

CTP Wilco van Bragt Citrix Federated Authentication Service (FAS) Tips and Tricks

From Citrix CTX225721 Federated Authentication Service High Availability and Scalability: you can build multiple FAS servers. Enter all FAS server FQDNs in the Group Policy. StoreFront will then use a hashing algorithm on the username to select a FAS server.

  1. If you have less than 10K users, one FAS server with 4 vCPUs (2.5Ghz) should be sufficient.
  2. You will require a minimum of one FAS server (with 8 vCPUs) per 25,000 users if all users expect to be able to logon under cold start conditions (no keys or certificates cached) within 60-90 minutes.
  3. A single FAS server can handle greater than 50K users under warm start conditions (keys and certificates pre-cached)
  4. One reserve FAS server for every four FAS servers for “Day 1” cold start (Users get new keys/certificates) & disaster recovery scenarios
  5. Split the FAS Certificate Authority from Certificate Authority that performs other tasks for both security and scalability purposes.

Also see the Citrix Federated Authentication Service Scalability whitepaper.

Federated Authentication Service Versions

The most recent Federated Authentication Service Current Release is version 1811, which is newer than version 7.18. Current Releases are only supported for 6 months from release date and are expected to be upgraded every 3-6 months.

The most recent FAS Long Term Service Release (LTSR) is version 7.15.3000. LTSR versions are supported for 5 years from release date. Cumulative Updates are released periodically.

Install/Upgrade Federated Authentication Service

The service should be installed on a secure, standalone server that does not have any other Citrix components installed. The FAS server stores user authentication keys, and thus security is paramount.

Federated Authentication Service 1811 is a Current Release, which is only supported for 6 months from release date. You are expected to upgrade it every 3-6 months. For longer term support, install Federated Authentication Service 7.15.3000 LTSR.

  1. On the Federated Authentication Service server, go to the Citrix Virtual Apps and Desktops or XenDesktop 7.9 or newer ISO, and run AutoSelect.exe.
  2. In Citrix Virtual Apps and Desktops or XenDesktop 7.13 and newer, in the lower half of the window, click Federated Authentication Service.
  3. Or in XenDesktop 7.9 through 7.12, on the bottom right, click Federated Authentication Service.
  4. In the Licensing Agreement page, select I have read, understand, and accept the terms of the license agreement, and click Next.
  5. In the Core Components page, click Next.
  6. In the Firewall page, click Next.
  7. In the Summary page, click Install.
  8. The installer might require a restart. Let it restart, and login again.

    1. After logging in, if you see a Locate ‘Citrix Virtual Apps and Desktops 7’ installation media window, don’t click anything in the window.
    2. Mount the Citrix_Virtual_Apps_and_Desktops_7_1811.iso file.
    3. Go back to the Locate ‘Citrix Virtual Apps and Desktops 7’ installation media window. On the left, expand This PC, and click the DVD Drive. Then click Select Folder.
    4. Installation will resume.
  9. In the Finish Installation page, click Finish.

FAS Group Policy

Configure a Group Policy that instructs StoreFront servers and VDAs on how to locate the FAS servers.

  1. On the Federated Authentication Service server, browse to C:\Program Files\Citrix\Federated Authentication Service\PolicyDefinitions. Copy the files and folder.
  2. Go to \\domain.com\SYSVOL\domain.com\Policies\PolicyDefinitions and paste the files and folder. If PolicyDefinitions doesn’t exist in SYSVOL, then copy them to C:\Windows\PolicyDefinitions instead.
  3. Edit a GPO that applies to all StoreFront servers, all Federated Authentication Service servers, and all VDAs.
  4. Navigate to Computer Configuration > Policies > Administrative Templates > Citrix Components > Authentication.
  5. Edit the setting Federated Authentication Service.
  6. Enable the setting and click Show.
  7. Enter the FQDN of the Federated Authentication Service server. You can add more than one Federated Authentication Service server.
  8. Click OK twice.
  9. On the Federated Authentication Service server, and VDAs, run gpupdate.
  10. On the FAS server, and on VDAs, look in the registry at HKLM\Software\Policies\Citrix\Authentication\UserCredentialService\Addresses. Make sure this key and value exists. The number one cause why FAS doesn’t work is because this key is missing from VDAs. The FAS Address GPO must apply to VDAs too.
  11. If the VDAs and Users are in different domains, see CTX220497 Users from one AD Domain not able to get FAS user certificates from another trusted domain: add the Citrix StoreFront Servers, FAS server and VDA servers to the Windows Authorization Access Group in the users’ domain.
  12. By default, the VDAs will verify the certificates aren’t revoked by downloading the Certificate Revocation List. You can disable this by configuring HKEY_Local_Machine\System\CurrentControlSet\Control\LSA\Kerberos\Parameters\UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors (DWORD) = 1 as detailed at CTX217150 Unable to login using the FAS Authentication – Getting Stuck on Please wait for local session manager.

FAS Configuration

  1. From the Start Menu, run Citrix Federated Authentication Service as administrator. Make sure you run it elevated.
  2. The Federated Authentication Service FQDN should already be in the list (from group policy). Click OK.
  3. In Step 1: Deploy certificate templates, click Start.
  4. Click OK to add certificate templates to Active Directory. Sufficient permission is required.
  5. Note: the deployed Certificate Templates have Autoenroll enabled. You might want to disable that.

    1. On the Security tab, check every group assign to the template.
    2. Repeat for the other two templates.
  6. In Step 2: Setup Certificate Authority, click Start.
  7. Select a Certificate Authority to issue the certificates, and click Ok.
  8. In Step 3: Authorize this Service, click Start.
  9. Step 3 automatically submits an online request for the Registration Authority certificate to the CA and stores the non-exportable private key in the standard Microsoft Enhanced RSA and AES Cryptographic Provider. Alternatively, you can submit the certificate request manually, and store the private key in TPM or HSM as detailed at Federated Authentication Service private key protection at Citrix Docs. When running New-FasAuthorizationCertificateRequest, the -UseTPM switch is optional.
  10. Select the issuing Certificate Authority, and click OK.
  11. Step 3 is now yellow.
  12. Go to the Certificate Authority Console > Pending Requests. Find the pending request, and Issue it.
  13. In a minute or two, Federated Authentication Service will recognize the issued certificate and Step 3 will turn green.
    • If it doesn’t turn green, then there might be a private hotfix. See David Lloyd at Citrix Discussions.
    • Another user at XenDesktop 7.9 FAS at Citrix Discussions had to bump up the Validity Period of the Citrix_RegistrationAuthority_ManualAuthorization template to 2 days before it would authorize.
  14. After authorization, switch to the User Rules tab.
  15. Use the Certificate Authority drop-down to select the issuing Certificate Authority.
  16. Use the Certificate Template drop-down to select the Citrix_SmartcardLogon template.
  17. Click Edit next to List of StoreFront servers that can use this rule.
  18. Remove Domain Computers from the top half, and instead add your StoreFront servers. You could add an Active Directory security group instead of individual StoreFront servers.
  19. On the bottom half, make sure Assert Identity is Allowed. Click OK.
  20. By default, all users and all VDAs are allowed. You can click the other two Edit boxes to change this.
  21. When done, click Apply.
  22. Click OK when Rule updated successfully.
  23. To further restrict who can be issued certificates, go to your Certificate Authority’s Properties, and use the Enrollment Agents tab to restrict enrollment agents.

StoreFront Configuration

  1. On the StoreFront 3.6 or newer server, run the following elevated PowerShell command:
    & "$Env:PROGRAMFILES\Citrix\Receiver StoreFront\Scripts\ImportModules.ps1"
  2. Run the following commands. Adjust the store name as required.
    $StoreVirtualPath = "/Citrix/Store"
    $store = Get-STFStoreService -VirtualPath $StoreVirtualPath
    $auth = Get-STFAuthenticationService -StoreService $store
    Set-STFClaimsFactoryNames -AuthenticationService $auth -ClaimsFactoryName "FASClaimsFactory"
    Set-STFStoreLaunchOptions -StoreService $store -VdaLogonDataProvider "FASLogonDataProvider"
  3. If you have multiple StoreFront servers, Propagate Changes.
  4. On a Citrix Delivery Controller, run the following commands:
    asnp citrix.*
    Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $true

If you ever need to disable FAS on StoreFront, run the following commands. Adjust the store name as required.

$StoreVirtualPath = "/Citrix/Store"
$store = Get-STFStoreService -VirtualPath $StoreVirtualPath
$auth = Get-STFAuthenticationService -StoreService $store
Set-STFClaimsFactoryNames -AuthenticationService $auth -ClaimsFactoryName "standardClaimsFactory"
Set-STFStoreLaunchOptions -StoreService $store -VdaLogonDataProvider ""

NetScaler Gateway Config

SAML on NetScaler Gateway

Configure the SAML iDP:
Every iDP has unique instructions. Search Google for your iDP and NetScaler and you might find a iDP-specific guide.

The screenshots in this section use ADFS as an example iDP. Your iDP will be different.

  1. In your SAML iDP, create a Relying Party Trust (aka service provider trust) or new Application.
  2. NetScaler doesn’t have a SAML metadata service, but you can create a metadata file manually by following the instructions at Citrix CTX133919 How to Configure NetScaler SAML to Work with Microsoft AD FS 2.0 IDP.
  3. Otherwise, select the option to enter relying party data manually.
  4. For the Assertion Consumer Service URL (aka relying party service URL), enter the URL to your NetScaler Gateway with /cgi/samlauth appended to the end (e.g. https://gateway.corp.com/cgi/samlauth)
  5. Enter a Relying party trust identifier. You must specify the same identifier (Issuer Name) on the NetScaler as detailed soon.
  6. Configure the SAML iDP to send email address or User-Principal-name as Name ID. NetScaler receives the Name ID and sends it to StoreFront. StoreFront will look in Active Directory for an account with userPrincipalName that matches the Name ID.
  7. NetScaler will sign the authentication requests it sends to the iDP. On the NetScaler, you will soon configure the NetScaler signing certificate with private key that signs the requests. In your SAML iDP, import the same NetScaler signing certificate but without private key.
  8. Copy the SAML authentication URL (aka Token Issuance URL) from your SAML iDP. You’ll need to enter this same URL on your NetScaler later.
  9. Export the iDP Token-signing certificate from your SAML iDP. The iDP could be ADFS, Okta, Ping, etc.

Configure the NetScaler:

  1. Instructions for NetScaler 11.1 and NetScaler 12 are essentially the same.
    • NetScaler 11 is very similar, except the Certificates are in a different place in the menu tree.
  2. On NetScaler, import the iDP SAML token-signing certificate (without private key) under Traffic Management > SSL > Certificates > CA Certificates. NetScaler uses this certificate to verify the signature of the SAML assertion from the iDP.

  3. Move up two nodes to Server Certificates and Import or create a NetScaler SAML signing certificate with private key for signing of SAML authentication requests to the iDP. This can be the same certificate used on NetScaler Gateway. Or a more common practice is to create a self-signed certificate.

    • You’ll also need to import this NetScaler SAML SP signing certificate (without private key) to your SAML iDP so it can verify the SAML authentication request signature from the NetScaler.
  4. Go to NetScaler Gateway > Policies > Authentication > SAML. The quickest way to get here is to enter SAML in the search box on top of the menu.
  5. On the right, switch to the Servers tab, and click Add.
  6. Enter the information for authenticating with your SAML iDP. This configuration will vary depending on your SAML iDP.
    1. For iDP Certificate Name, select the SAML iDP’s certificate that was exported from the SAML iDP and imported to NetScaler. NetScaler will use this iDP certificate to verify SAML assertions from the iDP.
    2. For Redirect URL, enter the URL to the SAML iDP’s authentication page. NetScaler Gateway will redirect users to this URL. For ADFS, enter your ADFS URL appended with /adfs/ls (e.g. https://adfs.corp.com/adfs/ls). For other iDPs, get the URL from your iDP.
    3. For Signing Certificate Name, select the NetScaler certificate (with private key) that NetScaler will use to sign authentication requests to the iDP. This same certificate (without private key) must be imported to the iDP, so the iDP can verify the authentication request signature.
    4. Enter an Issuer Name that the SAML iDP is expecting for the Relying Party.  This Issuer Name must match the name you configured on the iDP’s Relying Party (Service Provider) Trust.
    5. Scroll down and click More.
    6. NetScaler defaults to SHA1. You might have to change the Signature Algorithm and Digest Method to SHA256.
    7. Review the other settings as needed by your iDP. Click Create when done.
  7. On the right, switch to the Policies tab, and click Add.

    1. Give the policy a name, select the SAML Server, and enter ns_true for the expression. Click Create.
  8. Create NetScaler Gateway Session Polices if you haven’t already.
  9. Edit your Session Policy/Profile.

    1. On the Published Applications tab, make sure Single Sign-on Domain is not configured.
  10. Create a NetScaler Gateway Virtual Server if you haven’t already.
  11. Edit your Gateway Virtual Server. Go to the Basic Authentication section, and add a policy.
  12. Bind the SAML policy. This is the only authentication policy you need. You can remove all other authentication policies.

  13. Next step: configure StoreFront for SAML NetScaler Gateway.

StoreFront Config for SAML NetScaler Gateway

  1. In StoreFront 3.6 or newer, right-click the store, and click Manage Authentication Methods.
  2. Make sure Pass-through from NetScaler Gateway is selected.
  3. Click the gear icon on the right, and click Configure Delegated Authentication.
  4. Check the box next to Fully delegate credential validation to NetScaler Gateway, and click OK twice.
  5. In StoreFront, add a NetScaler Gateway object that matches the NetScaler Gateway Virtual Server that has SAML enabled.
  6. On the Authentication Settings page, make sure you configure a Callback URL. It won’t work without it.
  7. Then assign (Configure Remote Access Settings) the Gateway to your Store.

  8. Next step: create Active Directory Shadow Accounts

Native SAML on StoreFront without NetScaler

StoreFront 3.9 and newer have native support for SAML Authentication without NetScaler. Notes:

  • SAML overrides Explicit and Pass-through authentication.
  • SAML in StoreFront without NetScaler seems to work in Receiver Self-Service for Windows.

For an example configuration using StoreFront PowerShell commands and SAML metadata, see CTX232042 Configure StoreFront with OKTA.

To configure native SAML in StoreFront 3.9 or newer:

  1. Export the signing certificate from your SAML iDP. The iDP could be ADFS, Okta, Ping Identity, etc.
  2. In StoreFront 3.9 or newer console, right-click a Store, and click Manage Authentication Methods.
  3. Check the box next to SAML Authentication. If you don’t see this option (because you upgraded), click the Advanced button on the bottom of the window, and install the authentication method.
  4. On the right, click the gear icon for SAML, and click Identity Provider.
  5. Change the SAML Binding to the method your iDP expects.
  6. Enter the iDP token issuance endpoint URL. For example, in ADFS, the path is /adfs/ls.
  7.  Click Import.
  8. Browse to the signing certificate exported from your iDP, and click Open.
  9. Then click OK to close the Identity Provider window.
  10. On the right, in the SAML Authentication row, click the gear icon, and then click Service Provider.
  11. Click the first Browse button.
  12. Give the Signing certificate a name, and save it somewhere.
  13. Click the second Browse button.
  14. Give the Encryption certificate a name, and save it somewhere.
  15. Copy the Service Provider Identifier. Or you can change it to your desired value. Then click OK.
  16. In your iDP (e.g. ADFS), create a Relying Party Trust.
  17. Import the Encryption certificate that you exported from StoreFront.
  18. Enable SAML 2.0.
  19. For the Assertion Consumer Service (ACS) path, enter something similar to https://storefront.corp.com/Citrix/StoreAuth/SamlForms/AssertionConsumerService. The hostname portion of the URL is equivalent to your StoreFront Base URL. /Citrix/StoreAuth matches your Store name with Auth on the end. The rest of the path must be /SamlForms/AssertionConsumerService. You can get this ACS value by looking in the SAML metadata at the bottom of https://<storefront host>/Citrix/StoreAuth/SamlForms/ServiceProvider/Metadata.

  20. For the Relying party trust identifier, enter the identifier you copied from the Service Provider window in StoreFront.
  21. Configure the Claim Rules to send the user’s email address or userPrincipalName as Name ID.
  22. Edit the Relying Party Trust. Import the Signing certificate that you exported from StoreFront.

  23. Create Active Directory Shadow Accounts. Federated users must be userPrincipalName mapped to local Active Directory accounts.
  24. If you point your browser to https://<storefront-host>/Citrix/<storename>Auth/SamlTest, it should perform a SAML Login, and then show you the assertion that was returned from the iDP. See Citrix CTX220639 How to configure SAML Authentication-Test Configuration.
  25. See Citrix CTX220682 Storefront SAML Troubleshooting Guide for event logs, SAML Metadata, Active Directory account mapping, Trust XML, etc.
  26. When you go to your Receiver for Web page, it should automatically redirect you to your iDP. After authentication, it should redirect you back to StoreFront and show you your icons.
  27. ADFS also works in Receiver 4.6 and newer. Currently, the only supported configuration is ADFS with SAML to StoreFront without NetScaler.
  28. When you logoff, it won’t let you log on again unless you close your browser and reopen it.

  29. To fix this problem, see CTP Sacha Thomet StoreFront – Allow relogin without browser close. Edit the file C:\inetpub\wwwroot\Citrix\StoreWeb\custom\script.js, and add the following line:
    CTXS.allowReloginWithoutBrowserClose = true

  30. Now when you logoff, you’re given an option to log on again.

Active Directory Shadow Accounts

To login to Windows (Citrix VDA), every user must have an Active Directory account in a domain trusted by the VDA. For Federated Users, you typically need to create shadow accounts for each Federated user in your local Active Directory. These Shadow accounts need a userPrincipalName that matches the SAML attribute (usually email address) provided by the SAML iDP.

If the email address provided by the SAML iDP does not match the UPN suffix for your domain, then do the following:

  1. Open Active Directory Domains and Trust.
  2. Right-click the top left node (not a domain node), and click Properties.
  3. In the UPN Suffixes tab, add a UPN suffix that matches the email suffix provided by the SAML iDP.
  4. When creating a shadow account in your Active Directory, the new UPN suffix is available in the drop-down list. Note that the pre-Windows 2000 logon name can’t conflict with any other user in the domain.
  5. The password for these Shadow accounts can be any random complex password since the Federated users never need the Shadow account’s password.
  6. If the shadow account is already created, edit the account, and on the Account tab, use the drop-down to select the new UPN suffix.
  7. Create a shadow account for every federated user. There are third party Identity Management tools that can automate this. Or get an export from the iDP and use PowerShell scripting to create the acccounts.

Verify FAS

When FAS is enabled on StoreFront, every user that logs into StoreFront (local or remote) causes a user certificate to be created on the FAS server. You can see these user certificates by running the following PowerShell commands:

Add-PSSnapin Citrix.Authentication.FederatedAuthenticationService.V1
Get-FasUserCertificate -address fas01.corp.local

Citrix uses these certificates to logon to the VDA as the user. No password needed.

323 thoughts on “Citrix Federated Authentication Service (SAML) 1811”

  1. Hi Carl,
    I need some expert Advice on User Access.
    Environment:- Citrix XD7.15 on Azure Cloud not using Citrix cloud services.
    Stand Alone AD server (xyz.com)in Azure not using azure ad services.
    Two types of user:-
    1. User account exist in xyz.com
    2. User account doesn’t exist in xyz.com (abc.com)
    There is no trust between two domains.
    There is no ADFS services in xyz.com

    We need two factor authentication for both users.
    we are proposing Azure MFA for xyz.com
    what we need for user from abc.com to get two factor authentication and get access to citrix vdi.
    will Citrix FAS will do the needful or we need third part product for abc.com.
    can azure mfa and cfas working in coordination.

    1. For the non-trusted domain, you need SAML to offload authentication to another service, and then FAS to perform SSON after authentication is complete. Don’t forget you’ll need shadow accounts in the local domain for the untrusted users.

  2. Hi Carl,

    I am getting S104 error . I am getting “the request is not supported” in VDA.I am pasting the error message below. Do you have any thoughts?.

    [S104] Identity Assertion Logon failed. Failed to connect to Federated Authentication Service: UserCredentialService [Address:XXXX.XXX>XX][Index: 0] [Error: Access Denied
    Server stack trace:
    at System.ServiceModel.Channels.ServiceChannel.HandleReply(ProxyOperationRuntime operation, ProxyRpc& rpc)
    at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
    at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
    at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

    Exception rethrown at [0]:
    at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
    at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
    at Citrix.Authentication.UserCredentialServices.IConvertCredentials.CheckAvailableCredentials(String cookie, String& upn, String& userSid)
    at Citrix.Authentication.IdentityAssertion.HdxCredentialSelector.c__DisplayClass8.b__7()]

    1. The FAS server has a User Rules configuration. One of the fields is permitted VDAs. Was that changed from the default of Domain Computers?

  3. Carl,

    Do you know of a way to see when the validity period of the FAS RA cert ends? I don’t see it in any of the PS commands.

    1. It’s under HKEY_USERS\S-1-5-20\SOFTWARE\Citrix\TrustFabric\TrustAreas\79b05e78-33f3-494b-8ae4-3ede6cb2eaa7\Software\Microsoft\SystemCertificates\My\Certificates. To view it, I exported it from here, and imported it to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\MY\Certificates and then viewed it in certlm.msc.

  4. We’re getting a strange error when utilizing Okta and Citrix FAS. It passes through and we can get to the storefront. After clicking on an app, it looks like it opens but then a Windows Server 2008 logon screen with “Other User” is displayed. What are we missing?

      1. I am having this same problem on an internal storefront. We recently enabled Hello for Business which breaks single sign-on. So we are testing FAS, but get the same problem described where the logon prompt appears after launching an app. I have verified the GP is assigned to the VDA and that a certificate is issued for my user account on the FAS server.

  5. I’ve set up an acceptance environment, where the SF and DDC are on one server in Forest A, and the CA and FAS are on another server in Forest B (with the users). Handoff to the IDP works, assertion is received and applications enumerate. However at launch I receive “Cannot start…” on the SF server, I also receive the error Event 28: Failed to launch the resource “Application Name” using the Citrix XML service at address”??”. If I create a second store with explicit credentials on the same account the app launches..It appears that with SAML enabled the SF server is unable to fully query the user’s AD. Any suggestions?

      1. yes, XML is trusted…the above is the only Citrix error recorded. no other obvious failures or errors during this period

  6. Morning Carl, Can you explain why we need to leave the Single Sign On box uncheck under the Published Applications tab on the Netscaler? Thx

    1. You mean the SSON Domain? The SAML token contains the user’s userPrincipalName, which is fully sufficient for StoreFront to identify the user’s domain. No need for Gateway to send the domain info to StoreFront.

      1. I kind of thought as much just making sure. We have SAML w/ Azure AD working on our gateway for web, still waiting for Citrix to give us an answer about SAML working for workspace via the gateway. White papers dont say it wont work, but i’ve seen people say it is only supported on the mac version of workspace.

      2. Hi Carl, I’ve set this up with an admin account and works perfectly, don’t know if something’s cached somewhere because it still works even when I clear the cert from SF – but a user account can’t get to the Store “Cannot Complete Your Request” – SF events show failed with UPN and blank domain, 403 forbidden. – Cert templates have permissions for all. Bit lost… Any ideas? 🙂

Leave a Reply