Scenario 4 StoreFront via ADC SAML integration

This scenario describes the integration of Liquit Workspace with Citrix StoreFront for external application access through Citrix ADC.

In this scenario:

• Citrix Federated Authentication Services (FAS) is deployed and configured.

Prerequisites

• Liquit Workspace 3.2 or later
• A Citrix ADC 12.1.xx or later configured with a virtual server for the StoreFront
• Citrix XenApp/XenDesktop 7.9 or late
• Citrix StoreFront connector must be configured
• Citrix StoreFront must be configured for Citrix ADC (Gateway)
• Citrix Federated Authentication Service must be deployed and configured
• SAML identity provider must be configured on the Liquit server
• The public certificate of the Liquit SAML identity provider must be exported as base 64

For enhanced integration, see Configure the Citrix StoreFront connector.

ADC Configuration

The configuration steps described here are done in the web interface of the Citrix ADC.

1. In Citrix ADC navigate to Traffic Management > SSL > Certificates > Server Certificates and click Install.
2. Import the Liquit SAML identity provider public certificate into ADC.
3. Navigate to Security > AAA - Application Traffic > Policies > Authentication > Basic Policies > SAML > Policies.
4. Add a new policy with the following parameters:

• Name: LIQUIT_IDP_POLICY
• Expression: ns_true

5. Click on Add on the row of the server combo box and configure the following parameters (for some options, you need to click the “More” link at the bottom of the pane):

• Name: LIQUIT_IDP_SERVER
• Redirect URL: https://workspace.liquit.com/idp/{guid}/saml2/sso (the entity ID can be found on the Liquit SAML identity provider details page, followed by “sso”)
• Single Logout URL: https://workspace.liquit.com/idp/{guid}/saml2/slo (the entity ID can be found on the Liquit SAML identity provider details page, followed by “slo”)
• SAML Binding: POST
• Logout Binding: REDIRECT
• IdP Certificate Name: The Liquit identity provider certificate that was imported
• Authentication Type: SAML
• User Field: Name ID
• Signing Certificate Name: The Citrix ADC certificate that will be used to sign SAML requests
• Issuer Name: This can be anything, for example: https://{Virtual server dns name}/saml
• Reject Unsigned Assertion: ON
• Authentication Class Types: Select "PasswordProtectedTransport"
• Signature Algorithm: RSA-SHA256
• Digest Method: SHA256

After creating the SAML Server, the metadata can be exported and used for registering the StoreFront SAML Service Provider in the Liquit Workspace.
If ADC version 12.1+ is being used, then the popup window that will be shown will contain a URL in the address bar that can be directly used by Liquit Workspace for importing the SAML metadata.
The newly created SAML policy can now be configured as the primary authentication policy on the virtual server for StoreFront.

Register the StoreFront SAML Service Provider in the Liquit Workspace

1. In the Liquit Workspace, navigate to Manage > Authentication > Identity Providers and open the desired SAML identity provider.
2. Navigate to the Service Providers screen and click Create service provider.
3. In Type, select Import Service provider from Metadata.
   In General, provide a name to identify the new service provider later. For example, “ADC - Store Service”. Specify the import method that is appropriate for your environment and provide the metadata source.

4. In Summary, leave the checkbox Modify Service Provider after creation selected. The service provider entry will be created and populated with the information found in the metadata.
5. Configure the Name Identifier on the server provider as follows:
   • Name Identifier: Persistent
   • User attribute: User principal name