Gateway

Configuring Citrix Gateway Virtual Server for MSAL Token Authentication

To configure a Citrix Gateway virtual server for monitoring MSAL token authentication, you need the following information:

  • authorizationEndpoint: The URL of the endpoint to which the unauthenticated user must be redirected. Citrix Gateway redirects the user to this URL by adding query parameters including client id. If this parameter is not specified, by default the user is redirected to the URL configured in tokenEndpoint.

  • tokenEndpoint: The URL of the endpoint to which Citrix Gateway posts the OAuth token to verify its authenticity. The user can get the OAuth token from the authorization server upon successful authentication.

  • GraphEndpoint: The URL of the Graph API service to learn Enterprise Mobility Services (EMS) endpoints.

  • certEndpoint: The URL of the endpoint that contains the JSON Web Key (JWK) for MSAL token verification.

  • Audience: FQDN of the Citrix ADC virtual server to which the app sends the MSAL token.

  • Issuer: Name of the Microsoft Entra ID issuer. Gets populated by default.

  • TenantID: Tenant ID for MSAL registration.

  • ClientID: A unique ID given to the Gateway app as part of MSAL registration.

  • ClientSecret: A secret key given to the Gateway app as part of MSAL registration.

  • ResourceURI: An optional parameter to capture the resource URI. If not configured, Citrix ADC uses Azure commercial resource URI.

Perform the following steps using the CLI:

  1. Create an OAuth action.

    add authentication OAuthAction <oauth_action_name> -OAuthType <INTUNE> -authorizationEndpoint <authorization_endpoint_fqdn> -tokenEndpoint <token_endpoint_fqdn> -clientID <client_id_val> -clientSecret <client_secret_val> -tenantID <tenant_id_value> -GraphEndpoint <graph_endpoint_fqdn> -CertEndpoint <cert_endpoint_fqdn>
    <!--NeedCopy-->
    
  2. Add an authentication policy label to the OAuth action.

    add authentication policylabel <policy_label_name>
    <!--NeedCopy-->
    
  3. Create an authentication policy to associate with the newly created OAuth action.

    add authentication Policy <policy_name> -rule <true> -action <oauth_intune_action>
    <!--NeedCopy-->
    
  4. Bind the authentication policy to the policy label.

    bind authentication policylabel <policy_label_name> -policyName <policy_name> -priority 100
    <!--NeedCopy-->
    
  5. Configure the authentication virtual server.

    add authentication vserver <authvserver> SSL <0.0.0.0>
    bind ssl vserver <authvserver> -certkeyName <cert_key_file_name>
    bind authentication vserver <authvserver> -policy <ldap_policy_name> -priority 100 -nextFactor <policy_label_name>
    <!--NeedCopy-->
    
  6. Configure the VPN virtual server.

    add authentication authnProfile <vpn_profile_name> -authnVsName <authvserver>
    add vpn vserver <vserver_name> SSL <vpn_ip_address> -authnProfile <vpn_profile_name>
    <!--NeedCopy-->
    

Sample configuration:

add authentication OAuthAction oauth_action_for_NAC -OAuthType INTUNE -authorizationEndpoint "https://login.microsoftonline.com/ed10c531-5d7b-4a5c-bb29-564c20480754/oauth2/v2.0/authorize" -tokenEndpoint "https://login.microsoftonline.com/ed10c531-5d7b-4a5c-bb29-564c20480754/oauth2/v2.0/token" -clientID 1dc2adc3-0298-4ff5-9bf5-b98852ff58ba -clientSecret 6zM8Q~b4Hr9wwHEGFla.VDsiMWjvG~PS6PKv7c2m -tenantID ed10c531-5d7b-4a5c-bb29-564c20480754

add authentication policylabel intune_oauth_pol_label

add authentication Policy oauth_intune_pol -rule true -action oauth_action_for_NAC

bind authentication policylabel intune_oauth_pol_label -policyName oauth_intune_pol -priority 100

add authentication vserver av_vs SSL 0.0.0.0
bind ssl vserver av_vs -certkeyName crt_key_file_name
bind authentication vserver av_vs -policy ldap_policy_name -priority 100 -nextFactor intune_oauth_pol_label

add authentication authnProfile vpn_authnprofile -authnVsName av_vs
add vpn vserver vpn_sp SSL VPN_IP_Address 443 -authnProfile vpn_authnprofile
<!--NeedCopy-->

Note:

The parameters in the sample configuration must be modified as per the requirement. In the sample configuration:

  • OAuthType, clientID, clientSecret, and tenantID are mandatory parameters.

  • The following parameters are populated with the default values if the user did not configure it while creating the OAuth action:

    • GraphEndpoint: https://graph.microsoft.com/

    • AllowedTokenAlgorithms: HS256, RS256, RS512

    • TokenEndpointAuthMethod: client_secret_post

    • GrantType: Code

  • The tenantID used in authorizationEndpoint and tokenEndpoint is ed10c531-5d7b-4a5c-bb29-564c20480754.

  • The loginSchema used is the default schema. Depending on the use case, an appropriate login schema must be chosen.

  • LDAP is selected as the first factor of authentication and OAuth as the next factor, bound to the authentication virtual server. This can be modified as per the usage.

Configuring Citrix Gateway Virtual Server for MSAL Token Authentication