Scenario 3 StoreFront SAML integration without ADC
  • 23 Mar 2024
  • 2 Minutes to read
  • Dark
    Light
  • PDF

Scenario 3 StoreFront SAML integration without ADC

  • Dark
    Light
  • PDF

Article summary

Since the introduction of identity providers in the Liquit Workspace, it has become possible to use SAML federation with the Citrix StoreFront.

In this scenario:

  • Citrix Federated Authentication Services (FAS) is deployed and configured.
  • Citrix Application Delivery Controller (ADC) is not used or it only functions as a pass-through (reverse proxy) without any intelligence (no ICA acceleration for example). In case Citrix ADC is used, and is handling authentication, see Scenario 4 StoreFront via ADC SAML integration.

Prerequisites

Liquit Access Manager license

The SAML identity provider is available only with a valid Liquit Access Manager license. We recommend you contact Liquit Sales if the option is not available in your Liquit System.

Configure the Citrix StoreFront for SAML

Citrix StoreFront does not support importing SAML identity provider metadata, therefore the configuration needs to be done manually in it.
  1. In the Citrix StoreFront store, navigate to Manage Authentication Methods.
  2. Enable the SAML Authentication method. If it is not listed, click Advanced at the bottom of the dialog, select Install or uninstall authentication methods” and then select SAML Authentication
  3. Click on the gear icon of the SAML Authentication method and select Identity Provider.

manage authentication methods

In this screenshot, the Liquit Workspace StoreFront connector is using the HTTP Basic authentication.
  1. Configure the following parameters
    • SAML Binding: Post
    • Address: Use the entity ID of the Liquit SAML identity provider followed by “sso” (for example: https://workspace.liquit.com/idp/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/saml2/sso)
    • Click “Import…” at the bottom of the dialog and select the Liquit SAML identity provider public certificate.

citrix_storefront_identity_provider.png

  1. Click OK to save changes.
  2. After closing the dialog, click again on the gear icon of the SAML Authentication method and this time select Service Provider.
  3. Note down the “Service Provider Identifier” as you need this in the next step to register the StoreFront SAML Service Provider in the Liquit Workspace.

Service provider

Register the StoreFront SAML Service Provider in the Liquit Workspace

  1. In the Liquit Workspace, navigate to Manage > Authentication > Identity Providers and open the desired SAML identity provider.
  2. Navigate to the Service Providers screen and click Create service provider.
  3. In Type, select Import Service provider from Metadata.
  4. In General, provide a name to identify the new service provider later, for example “StoreFront - Store Service”. Specify the metadata URL using the URL that was noted down from the StoreFront Service Provider dialog:
    • Change the URL schema to “https” if the StoreFront server is configured for SSL.
    • Verify that the domain name is reachable from the Liquit Workspace (it could be that the domain name needs to be changed from server name to public DNS name).
    • Append “/SamlForms/ServiceProvider/Metadata” to the end of the URL.

After that, the URL should for example look like this:

https://citrix.liquit.com/Citrix/Authentication/SamlForms/ServiceProvider/Metadata

/Citrix/Authentication is only used for the default store, new stores will have a URL path like /Citrix/[Store name]Auth, for example https://citrix.liquit.com/Citrix/DemoAuth/SamlForms/ServiceProvider/Metadata.
  1. In Summary, leave the checkbox Modify Service Provider after creation selected. The service provider entry will be created and populated with the information that could be found in the metadata.
  2. Configure the name identifier on the server provider as follows:
    Name Identifier: Persistent
    User attribute: User principal name

Citrix_storefront_service_provider.png

Alternatively, you can provide the metadata xml by specifying in the creation wizard the source "XML".


Was this article helpful?