9.10 Configuring Integration with Citrix StoreFront

This section provides the configuration information on integrating Advanced Authentication with Citrix StoreFront. This integration secures the Citrix StoreFront connection.

To configure the integration of Advanced Authentication appliance with StoreFront using SAML 2.0 perform following tasks:

Ensure that the following requirements are met:

  • Advanced Authentication is configured with repository (Active Directory).

  • StoreFront is installed on the Citrix Server.

NOTE:The Citrix StoreFront is supported for Active Directory only.

9.10.1 Exporting the Token Signing Certificate from ADFS

  1. Open the ADFS Management console.

  2. Click Service > Certificates > Token Signing Certificate.

    Token Signing dialog box is displayed.

  3. Navigate to the Details tab and click Copy to a file.

    The Certificate Export wizard is displayed. Export the certificate on your local drive.

9.10.2 Configuring the Authentication Methods on Citrix StoreFront

  1. Open the Citrix StoreFront console.

  2. Click Stores > Manage Authentication Methods.

  3. Select User name and Password.

  4. Click Settings icon against User name and Password.

  5. Click Configure Password Validation.

  6. Ensure Validate Password is set to Active Directory.

  7. Select SAML Authentication.

  8. Click Settings icon against SAML Authentication and click Identity Provider.

  9. Select Post from SAML Binding.

  10. Specify ADFS Address in https://<adfs_server>/adfs/ls format.

  11. Click Import.

  12. Select the Token Signing certificate (exported from ADFS) and click Open.

  13. Click OK to close the Identity Provider dialog box.

  14. Click Settings icon against SAML Authentication and click Service Provider.

  15. Specify Export Signing Certificate Name and click Browse to save the StoreFront signing certificate on your local drive.

  16. Specify Export Encryption Certificate Name and click Browse to save the StoreFront encryption certificate on your local drive.

  17. Specify the Service Provider Identifier in https://<StoreFront_URL>/Citrix/StoreAuth format.

  18. Click OK.

9.10.3 Creating the Relying Party Trust on ADFS

  1. On the ADFS Management console, click Relying Party Trusts > Add Relying Party Trust.

  2. Select Claims aware and click Start.

  3. To import StoreFront metadata, perform the following:

    1. Select Import data about the relying party from a file.

    2. Specify StoreFront metadata URL in https://<storefront_server>/Citrix/<StoreAuth>/SamlForms/ServiceProvider/Metadata format.

    3. Click Next.

  4. Specify Display Name and Notes for StoreFront and click Next.

  5. Select Permit everyone from Choose an access control policy list to configure access control policy for ADFS and click Next.

  6. Verify the values imported from the StoreFront metadata and Click Next.

  7. Select Configure claims issuance policy for this application and click Close.

  8. Select the trust created for StoreFront on the Relying Party Trusts and click Edit Claim Rules.

  9. In the Issuance Transform Rule tab, add three rules:

    • To add the first rule, perform the following steps:

      1. Click Add Rule.

      2. Select Send LDAP Attributes as Claims from Claim Rule Template.

      3. Specify Claim rule name.

      4. Select Active Directory from Attribute Store.

      5. Select User-Principal-Name from LDAP Attribute.

      6. Select Name ID from Outgoing Claim Type.

      7. Click Save.

    • To add the second rule, perform the following steps:

      1. Click Add Rule.

      2. Select Pass Through or Filter an Incoming Claim from Claim Rule Template and click Next.

      3. Specify Claim rule name.

      4. Select Name ID from Incoming Claim Type.

      5. Select Unspecified from Incoming name ID format.

      6. Select Pass through all claim values.

      7. Click OK.

    • To add the third rule, perform the following steps:

      1. Click Add Rule.

      2. Select Send LDAP Attributes as Claims from Claim Rule Template.

      3. Specify Claim rule name.

      4. Select Active Directory from Attribute Store.

      5. Map the LDAP attributes as follows:

        • LDAP attribute 1:

          1. Select Surname from LDAP Attribute.

          2. Select Surname from Outgoing Claim Type.

        • LDAP attribute 2:

          1. Select Given Name from LDAP Attribute.

          2. Select Given Name from Outgoing Claim Type.

9.10.4 Configuring the SAML 2.0 Event on Advanced Authentication

  1. Open the Advanced Authentication Administration portal.

  2. Click Events > Add.

  3. Create an event with the following parameters:

    • Name: Citrix StoreFront

    • Chains: select the required chains.

    • Paste the content of the file https://<adfs_hostname>/FederationMetadata/2007-06/FederationMetadata.xml to the SP SAML 2.0 meta data.

      or

      • Click Choose File and upload the saved XML file.

    • Click Save.

    NOTE:Verify that you can access the file in your browser. If the file is not displayed, then you have an issue on ADFS that you need to resolve.

  4. Click Policies > Web Authentication.

  5. Set External URL to https://AdvancedAuthenticationServerAddress/ and replace AdvancedAuthenticationServerAddress with the domain name or IP address of your Advanced Authentication Server.

    NOTE:To use multiple Advanced Authentication servers with SAML 2.0, you must do the following:

    1. Configure an external load balancer.

    2. Specify the address in External URL instead of specifying an address of a single Advanced Authentication server.

  6. Click Download IdP SAML 2.0 Metadata.

    You must open the file as an XML file.

    NOTE: If {"Fault":{... ` is displayed, you must verify the configuration.

9.10.5 Creating the Claims Party Trust on ADFS

  1. Open the ADFS management console.

  2. Expand the Trust Relationships menu.

  3. Click Add Claims Provider trust.

  4. Select Import data about the claims provider.

  5. Paste OSP metadata URL in https://<AAF_server_hostname>/osp/a/TOP/auth/saml2/metadata format or import the file manually.

    It may not work for the self-signed certificate. You can copy metadata from OSP URL to an XML file and provide the file name.

  6. Specify the Display name.

  7. Edit Claim Rules for the created claims provider trust.

  8. In Edit Claims Rules, add three rules:

    • To add the first rule, perform the following steps:

      1. Click Add Rule.

      2. Select Send Claims Using a Custom Rule from Claim Rule Template and click Next.

      3. Specify Claim rule name.

      4. Paste Custom rule and click Finish.

        c:[Type == "upn"]=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType);

    • To add the second rule, perform the following steps:

      1. Click Add Rule.

      2. Select Pass Through or Filter an Incoming Claim template from Claim Rule Template and click Next.

      3. Specify Claim rule name.

      4. Select UPN from Incoming Claim Type.

      5. Select Pass through all claim values and click Finish.

    • To add the third rule, perform the following steps:

      1. Click Add Rule.

      2. Select Transform an Incoming Claim template from Claim Rule Template and click Next.

      3. Specify Claim rule name.

      4. Select UPN from Incoming Claim Type.

      5. Select Name ID from Outgoing claim type.

      6. Select Unspecified from Outgoing name ID to and click Finish.

  9. Open Properties for the created claims provider trust and navigate to the Advanced tab.

  10. Set Secure hash algorithm from SHA-256 to SHA-1.

  11. Navigate to Endpoints tab and ensure that the Binding of all endpoints is set to POST.

    WARNING:While removing the existing endpoints from the Endpoints tab, make a note of configuration to re-create an endpoint and set the Binding to POST.

  12. Click OK.

NOTE:When you log off from Citrix StoreFront and try to login again through the same browser, an error message You cannot log on at this time is displayed. To resolve this issue you must configure the following command in the script.js file:

CTXS.allowReloginWithoutBrowserClose = true

For more information, see Error While Re-login To Citrix StoreFront.