Use an on-premises Citrix Gateway as the identity provider for Citrix Cloud
Citrix Cloud supports using an on-premises Citrix Gateway as an identity provider to authenticate subscribers signing in to their workspaces.
By using Citrix Gateway authentication, you can:
- Continue authenticating users through your existing Citrix Gateway so they can access the resources in your on-premises Virtual Apps and Desktops deployment through Citrix Workspace.
- Use the Citrix Gateway authentication, authorization, and auditing functions with Citrix Workspace.
- Use features such as pass-through authentication, smart cards, secure tokens, conditional access policies, federation, and many others while providing your users access to the resources they need through Citrix Workspace.
Citrix Gateway authentication is supported for use with the following product versions:
- Citrix Gateway 13.0 41.20 Advanced edition or later
- Citrix Gateway 12.1 54.13 Advanced edition or later
Prerequisites
-
Cloud Connectors - You need at least two servers on which to install the Citrix Cloud Connector software.
-
Active Directory - Perform the necessary checks.
-
Citrix Gateway requirements
-
Use advanced policies on the on-premises gateway due to deprecation of classic policies.
-
When configuring the Gateway for authenticating subscribers to Citrix Workspace, the gateway acts as an OpenID Connect provider. Messages between Citrix Cloud and Gateway conform to the OIDC protocol, which involves digitally signing tokens. Therefore, you must configure a certificate for signing these tokens.
-
Clock synchronization - The Gateway must be synchronized to NTP time.
-
For details, see Prerequisites.
Create an OAuth IdP policy on the on-premises Citrix Gateway
Important:
You must have generated the client ID, secret, and redirect URL in the Citrix Cloud > Identity and Access Management > Authentication tab. For details, see Connect an on-premises Citrix Gateway to Citrix Cloud.
Creating an OAuth IdP authentication policy involves the following tasks:
-
Create an OAuth IdP profile.
-
Add an OAuth IdP policy.
-
Bind the OAuth IdP policy to an authentication virtual server.
-
Bind the certificate globally.
Creating an OAuth IdP profile by using the CLI
At the command prompt, type;
add authentication OAuthIDPProfile <name> [-clientID <string>][-clientSecret ][-redirectURL <URL>][-issuer <string>][-audience <string>][-skewTime <mins>] [-defaultAuthenticationGroup <string>]
add authentication OAuthIdPPolicy <name> -rule <expression> [-action <string> [-undefAction <string>] [-comment <string>][-logAction <string>]
add authentication ldapAction <name> -serverIP <IP> -ldapBase "dc=aaa,dc=local"
ldapBindDn <administrator@aaa.local> -ldapBindDnPassword <password> -ldapLoginName sAMAccountName
add authentication policy <name> -rule <expression> -action <string>
bind authentication vserver auth_vs -policy <ldap_policy_name> -priority <integer> -gotoPriorityExpression NEXT
bind authentication vserver auth_vs -policy <OAuthIDPPolicyName> -priority <integer> -gotoPriorityExpression END
bind vpn global -certkeyName <>
<!--NeedCopy-->
Creating an OAuth IdP profile by using the GUI
-
Navigate to Security > AAA – Application Traffic > Policies > Authentication > Advanced Policies > OAuth IDP.
-
In the OAuth IDP page, select the Profiles tab and click Add.
-
Configure the OAuth IdP profile.
Note:
-
Copy and paste the client ID, secret, and Redirect URL values from the Citrix Cloud > Identity and Access Management > Authentication tab to establish the connection to Citrix Cloud.
-
Enter the Gateway URL correctly in the Issuer Name Example: https://GatewayFQDN.com
-
Also copy and paste the client ID in the Audience field as well.
-
Send Password: Enable this option for single sign-on support. This option is disabled by default.
-
-
On the Create Authentication OAuth IDP Profile screen, set values for the following parameters and click Create.
-
Name – Name of the authentication profile. Must begin with a letter, number, or the underscore character (_), and must contain only letters, numbers, and the hyphen (-), period (.) pound (#), space ( ), at (@), equals (=), colon (:), and underscore characters. Cannot be changed after the profile is created.
- Client ID – Unique string that identifies SP. Authorization server infers client configuration using this ID. Maximum Length: 127.
- Client Secret – Secret string established by user and authorization server. Maximum Length: 239.
- Redirect URL – Endpoint on SP to which code/token has to be posted.
- Issuer Name – Identity of the server whose tokens are to be accepted. Maximum Length: 127. Example: https://GatewayFQDN.com
- Audience – Target recipient for the token being sent by IdP. This might be checked by the recipient.
- Skew Time – This option specifies the allowed clock skew in minutes that Citrix ADC allows on an incoming token. For example, if skewTime is 10, then the token would be valid from (current time - 10) min to (current time + 10) min, that is 20 min in all. Default value: 5.
- Default Authentication Group – A group added to the session internal group list when this profile is chosen by IdP which can be used in nFactor flow. It can be used in the expression (AAA.USER.IS_MEMBER_OF(“xxx”)) for authentication policies to identify relying party related nFactor flow. Maximum Length: 63
A group is added to the session for this profile to simplify policy evaluation and help in customizing policies. This is the default group that is chosen when the authentication succeeds in addition to the extracted groups.
- Relying Party Metadata URL: Endpoint at which the Citrix ADC IdP can get details about the relying party being configured. The metadata response must include endpoints for the jwks_uri for RP public keys. Maximum length is 255.
- Refresh Interval: The interval at which the relying party metadata is refreshed. The default interval is 50.
- Encrypt Token: When you select this option, the token sent by Citrix ADC is encrypted.
- Signature Service: Name of the cloud service that is used to sign the data. This is applicable only if the signature if offloaded to cloud.
- Attributes: Name-Value pairs of the attributes to be inserted in the ID token. Maximum length is 1047 characters.
- Send Password: Select this option to send the encrypted password in the ID token.
-
-
Click Policies and click Add.
-
On the Create Authentication OAuth IDP Policy screen, set values for the following parameters and click Create.
- Name – The name of the authentication policy.
- Action – Name of profile created earlier.
- Log Action – Name of the message log action to use when a request matches this policy. Not a mandatory filed.
- Undefined-Result Action – Action to perform if the result of policy evaluation is undenfined(UNDEF). Not a mandatory field.
- Expression – Default syntax expression that the policy uses to respond to specific request. For example, true.
- Comments – Any comments about the policy.
Note:
When sendPassword is set to ON (OFF by default), user credentials are encrypted and passed through a secure channel to Citrix Cloud. Passing user credentials through a secure channel allows you to enable SSO to Citrix Virtual Apps and Desktops upon launch.
Binding the OAuthIDP policy and LDAP policy to the authentication virtual server
-
Navigate to Configuration > Security > AAA-Application Traffic > Policies >Authentication > Advanced Policies > Actions > LDAP.
-
On LDAP Actions screen, click Add.
-
On the Create Authentication LDAP Server screen, set the values for the following parameters, and click Create.
- Name – The name of the LDAP action
- ServerName/ServerIP – Provide FQDN or IP of the LDAP server
- Choose appropriate values for Security Type, Port, Server Type, Time-Out
- Make sure Authentication is checked
-
Base DN – Base from which to start LDAP search. For example,
dc=aaa,dc=local. -
Administrator Bind DN: User name of the bind to LDAP server. For example,
admin@aaa.local. - Administrator Password/Confirm Password: Password to bind LDAP
- Click Test Connection to test your settings.
- Server Logon Name Attribute: Choose “sAMAccountName”
- Other fields are not mandatory and hence can be configured as required.
-
Navigate to Configuration > Security > AAA-Application Traffic > Policies >Authentication > Advanced Policies > Policy.
-
On the Authentication Policies screen, click Add.
-
On the Create Authentication Policy page, set the values for the following parameters, and click Create.
- Name – Name of the LDAP Authentication Policy.
- Action Type – Choose LDAP.
- Action – Choose the LDAP action.
- Expression – Default syntax expression that the policy uses to respond to specific request. For example, true**.
Support for active-active GSLB deployments on Citrix Gateway
Citrix Gateway configured as an Identity Provider (IdP) using the OIDC protocol can support active-active GSLB deployments. The active-active GSLB deployment on Citrix Gateway IdP provides the capability to load balance an incoming user login request across multiple geographic locations.
Important
Citrix recommends you to bind CA certificates to the SSL service and enable certificate validation on the SSL service for enhanced security.
For more information on configuring GSLB setup, see Example of a GSLB setup and configuration.