Use an on-premises Citrix Gateway as the identity provider for Citrix Cloud
Citrix Cloud supports using an on-premises Citrix Gateway as an identity provider to authenticate subscribers signing in to their workspaces.
By using Citrix Gateway authentication, you can:
- Continue authenticating users through your existing Citrix Gateway so they can access the resources in your on-premises Virtual Apps and Desktops deployment through Citrix Workspace.
- Use the Citrix Gateway authentication, authorization, and auditing functions with Citrix Workspace.
- Use features such as pass-through authentication, smart cards, secure tokens, conditional access policies, federation, and many others while providing your users access to the resources they need through Citrix Workspace.
Citrix Gateway authentication is supported for use with the following product versions:
- Citrix Gateway 13.0 41.20 Advanced edition or later
- Citrix Gateway 12.1 54.13 Advanced edition or later
Prerequisites
Cloud Connectors - You need at least two servers on which to install the Citrix Cloud Connector software.
Active Directory - Perform the necessary checks.
Citrix Gateway requirements
Use advanced policies on the on-premises gateway due to deprecation of classic policies.
When configuring the Gateway for authenticating subscribers to Citrix Workspace, the gateway acts as an OpenID Connect provider. Messages between Citrix Cloud and Gateway conform to the OIDC protocol, which involves digitally signing tokens. Therefore, you must configure a certificate for signing these tokens.
Clock synchronization - The Gateway must be synchronized to NTP time.
For details, seePrerequisites.
Create an OAuth IdP policy on the on-premises Citrix Gateway
Important:
You must have generated the client ID, secret, and redirect URL in theCitrix Cloud > Identity and Access Management > Authenticationtab. For details, seeConnect an on-premises Citrix Gateway to Citrix Cloud.
Creating an OAuth IdP authentication policy involves the following tasks:
Create an OAuth IdP profile.
Add an OAuth IdP policy.
Bind the OAuth IdP policy to an authentication virtual server.
Bind the certificate globally.
Creating an OAuth IdP profile by using the CLI
At the command prompt, type;
add authentication OAuthIDPProfile [-clientID ][-clientSecret ][-redirectURL ][-issuer ][-audience ][-skewTime ] [-defaultAuthenticationGroup ] add authentication OAuthIdPPolicy -rule [-action [-undefAction ] [-comment ][-logAction ] add authentication ldapAction -serverIP -ldapBase "dc=aaa,dc=local" ldapBindDn -ldapBindDnPassword -ldapLoginName sAMAccountName add authentication policy -rule -action bind authentication vserver auth_vs -policy -priority -gotoPriorityExpression NEXT bind authentication vserver auth_vs -policy -priority -gotoPriorityExpression END bind vpn global -certkeyName <> Creating an OAuth IdP profile by using the GUI
Navigate toSecurity > AAA – Application Traffic > Policies > Authentication > Advanced Policies > OAuth IDP.
In theOAuth国内流离失所者page, select theProfilestab and clickAdd.
Configure the OAuth IdP profile.
Note:
Copy and paste the client ID, secret, and Redirect URL values from theCitrix Cloud > Identity and Access Management > Authenticationtab to establish the connection to Citrix Cloud.
Enter the Gateway URL correctly in theIssuer NameExample:https://GatewayFQDN.com
Also copy and paste the client ID in theAudiencefield as well.
Send Password: Enable this option for single sign-on support. This option is disabled by default.
On theCreate Authentication OAuth IDP Profilescreen, set values for the following parameters and clickCreate.
Name– Name of the authentication profile. Must begin with a letter, number, or the underscore character (_), and must contain only letters, numbers, and the hyphen (-), period (.) pound (#), space ( ), at (@), equals (=), colon (:), and underscore characters. Cannot be changed after the profile is created.
- Client ID– Unique string that identifies SP. Authorization server infers client configuration using this ID. Maximum Length: 127.
- Client Secret– Secret string established by user and authorization server. Maximum Length: 239.
- Redirect URL– Endpoint on SP to which code/token has to be posted.
- Issuer Name– Identity of the server whose tokens are to be accepted. Maximum Length: 127. Example:https://GatewayFQDN.com
- Audience– Target recipient for the token being sent by IdP. This might be checked by the recipient.
- Skew Time– This option specifies the allowed clock skew in minutes that Citrix ADC allows on an incoming token. For example, if skewTime is 10, then the token would be valid from (current time - 10) min to (current time + 10) min, that is 20 min in all. Default value: 5.
- Default Authentication Group——一组添加到会话内部组列表when this profile is chosen by IdP which can be used in nFactor flow. It can be used in the expression (AAA.USER.IS_MEMBER_OF(“xxx”)) for authentication policies to identify relying party related nFactor flow. Maximum Length: 63
A group is added to the session for this profile to simplify policy evaluation and help in customizing policies. This is the default group that is chosen when the authentication succeeds in addition to the extracted groups. Maximum Length: 63.
ClickPoliciesand clickAdd.
On theCreate Authentication OAuth IDP Policyscreen, set values for the following parameters and clickCreate.
- Name– The name of the authentication policy.
- Action– Name of profile created earlier.
- Log Action– Name of the message log action to use when a request matches this policy. Not a mandatory filed.
- Undefined-Result Action– Action to perform if the result of policy evaluation is undenfined(UNDEF). Not a mandatory field.
- Expression– Default syntax expression that the policy uses to respond to specific request. For example, true.
- Comments– Any comments about the policy.
Note:
WhensendPasswordis set to ON (OFF by default), user credentials are encrypted and passed through a secure channel to Citrix Cloud. Passing user credentials through a secure channel allows you to enable SSO to Citrix Virtual Apps and Desktops upon launch.
Binding the OAuthIDP policy and LDAP policy to the authentication virtual server
Navigate toConfiguration > Security > AAA-Application Traffic > Policies >Authentication > Advanced Policies > Actions > LDAP.
OnLDAP Actionsscreen, clickAdd.
On theCreate Authentication LDAP Serverscreen, set the values for the following parameters, and clickCreate.
- Name –The name of the LDAP action
- ServerName/ServerIP –Provide FQDN or IP of the LDAP server
- Choose appropriate valuesfor Security Type, Port, Server Type, Time-Out
- Make sureAuthenticationis checked
- Base DN –Base from which to start LDAP search. For example,
dc=aaa,dc=local. - Administrator Bind DN:User name of the bind to LDAP server. For example, admin@aaa.local.
- Administrator Password/Confirm Password: Password to bind LDAP
- ClickTest Connectionto test your settings.
- Server Logon Name Attribute:Choose“sAMAccountName”
- Other fields are not mandatory and hence can be configured as required.
Navigate toConfiguration > Security > AAA-Application Traffic > Policies >Authentication > Advanced Policies > Policy.
On theAuthentication Policiesscreen, clickAdd.
On theCreate Authentication Policypage, set the values for the following parameters, and clickCreate.
- Name –Name of the LDAP Authentication Policy.
- Action Type –ChooseLDAP.
- Action –Choose the LDAP action.
- Expression –Default syntax expression that the policy uses to respond to specific request. For example, true**.
Support for active-active GSLB deployments on Citrix Gateway
Citrix网关配置为身份提供者(IdP) using the OIDC protocol can support active-active GSLB deployments. The active-active GSLB deployment on Citrix Gateway IdP provides the capability to load balance an incoming user login request across multiple geographic locations.
Important
Citrix recommends you to bind CA certificates to the SSL service and enable certificate validation on the SSL service for enhanced security.
For more information on configuring GSLB setup, seeExample of a GSLB setup and configuration.