27.10.5 Creating the Claims Party Trust on ADFS

  1. Open the ADFS management console.

  2. Expand the Trust Relationships menu.

  3. Click Add Claims Provider trust.

  4. Select Import data about the claims provider.

  5. Paste OSP metadata URL in https://<AAF_server_hostname>/osp/a/TOP/auth/saml2/metadata format or import the file manually.

    It may not work for the self-signed certificate. You can copy metadata from OSP URL to an XML file and provide the file name.

  6. Specify the Display name.

  7. Edit Claim Rules for the created claims provider trust.

  8. In Edit Claims Rules, add three rules:

    • To add the first rule, perform the following steps:

      1. Click Add Rule.

      2. Select Send Claims Using a Custom Rule from Claim Rule Template and click Next.

      3. Specify Claim rule name.

      4. Paste Custom rule and click Finish.

        c:[Type == "upn"]=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType);

    • To add the second rule, perform the following steps:

      1. Click Add Rule.

      2. Select Pass Through or Filter an Incoming Claim template from Claim Rule Template and click Next.

      3. Specify Claim rule name.

      4. Select UPN from Incoming Claim Type.

      5. Select Pass through all claim values and click Finish.

    • To add the third rule, perform the following steps:

      1. Click Add Rule.

      2. Select Transform an Incoming Claim template from Claim Rule Template and click Next.

      3. Specify Claim rule name.

      4. Select UPN from Incoming Claim Type.

      5. Select Name ID from Outgoing claim type.

      6. Select Unspecified from Outgoing name ID to and click Finish.

  9. Open Properties for the created claims provider trust and navigate to the Endpoints tab.

  10. Ensure that the Binding of all endpoints is set to POST.

    WARNING:While removing the existing endpoints from the Endpoints tab, make a note of configuration to re-create an endpoint and set the Binding to POST.

  11. Click OK.

IMPORTANT:Citrix StoreFront does not support SAML Single Logout that causes to authenticate the next login automatically without prompting the users for multi-factor authentication. For more information, see SAML Single Logout.

When users log out from Citrix StoreFront, they must close the browser to protect their account.

You can upgrade the Storefront to 3.15 or later version to fix this issue.

NOTE:When you log off from Citrix StoreFront and try to login again through the same browser, an error message You cannot log on at this time is displayed. To resolve this issue you must configure the following command in the script.js file:

CTXS.allowReloginWithoutBrowserClose = true

For more information, see Error While Logging In to Citrix StoreFront Again.