SAML Authentication between Citrix & Microsoft with Azure MFA

As a result of increasing projects, here is a little how to with the summary of my previous articles. The main points are:

  • Azure AD Seamless Single Sign-On (PTA / PHS)
  • SAML Authentication (Azure AD as IdP & Citrix Gateway as SP)
  • Citrix Federated Authentication Service (FAS)
  • Microsoft Azure Multi-Factor-Authentication with Conditional Access

Requirements

  • Fully working Citrix Virtual Apps and Desktop Environment (StoreFront & DDC Minimum Version 7.9)
  • Citrix ADC with successful base configuration & activated Enterprise or Platinum license (Minimum Version 12.1 Build 50+ for native workspace app, for browser Minimum Version 11.1)
  • Configured Unified Gateway vServer
  • Internal and external DNS entries for Unified Gateway vServer (e.g. citrix.deyda.net)
  • Certificates for DNS entries (wildcard certificates are the easiest)
  • Existing Azure Tenant with Azure-AD base configuration (Domain, AAD Sync) & activated Azure AD Premium license
  • AD Connect version installed and configured (Minimum Version 1.1.644.0)
  • Firewall release for *.msappproxy.net on port 443
  • Domain administrator credentials for the domains that connected to Azure AD via AD Connect
  • Installed Authenticator App on Test User Mobile Phone
Continue reading “SAML Authentication between Citrix & Microsoft with Azure MFA”

Install Teams & OneDrive in Citrix (Machine-Based)

In the past months, I have had to deploy Microsoft Teams and OneDrive from the Office365 portfolio in Citrix environments, in addition to the standard office applications in numerous projects.

Microsoft Teams

The standard installation, that the user can perform through the Office365 portal, is a user-based installation. In a Citrix environment, this is only recommended for desktop operating systems (pooled or personal desktop).

Installation

In order for Teams to function in server operating systems (multi-user capable), the Machine Based Installer must be used. In this case, part of the data is stored in the folder C:\%PROGRAMFILES%\Microsoft\Teams. However, Teams can no longer be updated automatically as soon as a new version is available. This mode is recommended for non-persistent environments.

Continue reading “Install Teams & OneDrive in Citrix (Machine-Based)”

FSLogix Container (Office/Profile) in Citrix Environments

Recently, I have been involved more and more in projects where Office365 is to be fully implemented in Citrix environments. This means that the customer not only needs the standard Office applications Outlook, Excel and Word, but also wants to use teams and OneDrive.

But this is exactly where we, without additional software, have big problems in non-persistent desktop environments. For example with our profiles (Team Installer stores its data in the profile) or so that the data is downloaded from the Internet every time (excluding OneDrive Sync data in the profile).

However, we have recently been in the fortunate position of being able to use FSLogix “free of charge” for this purpose, if we meet the following requirements:

  • Microsoft 365 E3/E5
  • Microsoft 365 A3/A5/ Student Use Benefits
  • Microsoft 365 F1
  • Microsoft 365 Business
  • Windows 10 Enterprise E3/E5
  • Windows 10 Education A3/A5
  • Windows 10 VDA per user
  • Remote Desktop Services (RDS) Client Access License (CAL)
  • Remote Desktop Services (RDS) Subscriber Access License (SAL)
Profile Container Multiple Sessions FSLogix
Continue reading “FSLogix Container (Office/Profile) in Citrix Environments”

SAML Authentication with Azure AD as IdP and Citrix as SP

Since Citrix XenApp / XenDesktop 7.9 the Federated Authentication Service (FAS) is available. Via Citrix FAS it is possible to authenticate a user via SAML and thus connect Citrix as a service provider to existing identity providers, such as Azure-AD.

Sequence of SAML authentication

  1. The user browse the FQDN (e.g. citrix.deyda.net) of the Citrix Gateway vServer (Service Provider) to start his VA / VD resources
  2. The Citrix Gateway vServer directs the unauthenticated user directly to the Identity Provider (Azure-AD) to authenticate itself (saml: authnRequest)
  3. The Identity Provider points to its SingleSignOnService URL (e.g. login.microsoftonline.com) and the user must authenticate
  4. The user enters his AD credentials and these are checked by the Identity Provider against the user database
  5. Upon successful verification in the user database, the IdP is informed
  6. The IdP issues a token (SAML assertion) and sends it to the Citrix Gateway (saml: response)
  7. Citrix Gateway checks the token (assertion signature) and extracts the UPN from the assertion token. This allows access via SSO to the VA / VD farm via FAS (The SP does not have access to the user’s credentials)
SAML Auth Azure AD & Citrix Gateway with FAS
Continue reading “SAML Authentication with Azure AD as IdP and Citrix as SP”