Configure NetScaler Gateway SAML to Google with Citrix Federated Authentication
Prerequisites
Description | |
* | Citrix FAS Service installation |
* | XA/XD 7.6 or newer |
* | StoreFront 3.6 or newer (I’ve tested with 3.9) |
* | SAML Provider acting as the iDP (Google in this instance) |
* | NetScaler Gateway configured as the SAML Service Provider (SP) |
* | Active Directory Certificate Services |
* | Access to edit Windows GPOS and OUs to assign the CFAS service its service location |
Install The Citrix Federated Authentication Service (CFAS)
Step | Description | Screenshot |
Mount the XA/XD ISO on your server and select the Federated Authentication Service | ![]() |
|
Read the license agreement and make your choice | ||
Click Next | ![]() |
|
Click Next | ![]() |
|
Click Install | ![]() |
|
Click Finish | ![]() |
|
Create the GPO to point the FAS server to itself (see step 9)
When the GPO exists the ‘address’ field will be filled in for you automatically |
![]() |
|
Copy the Citrix ADMX files from C:\Program Files\Citrix\Federated Authentication to Active Directory
c:\windows\policydefinitions Service\PolicyDefinitions |
![]() to |
|
Edit group policy to have the server point to itself for FAS
open gpmc.msc browse to Computer > Administrative Templates: Policy> Citrix Components > Authentication Enter the DNS server address of the server hosting the FAS service (as per screenshot) Note: the VDA(s), the StoreFront and the FAS server all need to have this policy applied |
![]() |
|
run gpupdate /force | ||
Right click the CFAS Administration console and always Run As Administrator | ![]() |
|
You should now have the CFAS server listed
Click OK |
![]() |
|
Click on Step 1 – Start Button | ![]() |
|
Click OK | ![]() |
|
You can verify the creation of the templates in ADCS | ![]() |
|
Once this is completed without errors click Start on Step 2 | ![]() |
|
Click OK | ![]() |
|
Finally click Start on Step 3 | ![]() |
|
Click OK | ![]() |
|
The console is waiting for the request to be approved (issued) from the AD Certificate Services | ![]() |
|
Log into the ADCS and Approve the pending Certificate request
Right click the Pending request Select All Tasks Select Issue |
![]() |
|
Step 3 will go green | ![]() |
|
Click the User Rules tab and configure CA, CT and Access Control Lists if appropriate | ![]() |
|
Click Edit and Add the StoreFront Server to be able to use the ‘rule’
Remove domain computers as they will be set to ‘deny’ |
![]() |
|
Click Apply | ![]() |
Create NetScaler SAML Policy to 3rd Party iDP (Google)
In this section we will create a new SAML Policy for the NetScaler to use Google as the SAML iDP.
Note: this cannot currently be bound to a Gateway when using the NetScaler RFWebUI ‘theme’.
Step | Description | Screenshot |
Connect to admin.google.com | ||
Click Apps | ![]() |
|
Click SAML Apps | ![]() |
|
Click the + to add a new SAML Application | ![]() |
|
Select Setup my own custom app | ![]() |
|
Take note of the IDP data you are provided and copy and paste your URL
Be sure to DOWNLOAD the Certificate and save this for uploading to the NetScaler later. |
![]() |
|
Describe your new app | ![]() |
|
Note: the default ACS URL for the NetScalers must have a trailing /cgi/samlauth | ![]() |
|
Click Finish | ![]() |
|
Summary of the App SSO Setup in the Google admin panel | ![]() |
|
Be sure to enable the new Application
click the three dots … Select ON for everyone Note: this new configuration will take up to 24 hours to be available. Prior to this being ready you may get a ‘user not found’ message. |
![]() |
|
Note: users will have access to a shortcut to this new app in their Google Console | ![]() |
|
Upload the Google IDP Certificate to the NetScaler | ![]() |
|
Install the CA Certificate | ![]() |
|
Here you can see the certificate installed as another CA Certificate | ![]() |
|
Expand NetScaler > Security>AAA – Application Traffic>Policies>Authentication>Basic Policies>SAML>Policies>Servers
Enter appropriate details for your new SAML profile Note: the redirect URL and Single Logout URL will be unique to your Google account |
![]() |
|
Create a new SAML Authentication Policy
set the expression of this policy to ns_true Link that to the newly created Google SAML Server |
![]() |
|
Bind this policy to your NetScaler Gateway
Click the + against Basic Authentication Note: You may need to remove other Authentication policies (like LDAP) from the bound authentication before adding the SAML policy as the Primary method. |
![]() |
|
Choose SAML
Choose Primary Click Continue |
![]() |
|
Select the SAML binding | ![]() |
|
Edit the NetScaler Gateway Session Profile (Session Server) and blank the Single Sign On Domain field
NetScaler Gateway > Click Session Policies |
![]() |
|
Select the policy and edit the profile | ![]() |
|
Ensure Single Sign-on Domain is empty | ![]() |
|
Ensure your google email matches your AD User Logon Name | ![]() |
|
If not you can add a new UPN for the domain from Active Directory Domains and Trusts | ![]() |
|
Add any Additional UPN suffix you may require to match your google email sign-in | ![]() |
Configure StoreFront to Delegate Authentication to NetScaler
Step | Description | Screenshot |
Open Citrix Studio or StoreFront management | ||
Select your Store and left click Manage Authentication Methods | ![]() |
|
Click Passthrough from NetScaler Gateway > Configure Delegated Authentication | ![]() |
|
Click OK | ![]() |
|
Note: You will need to trust requests sent to the DDC XML Ports for all DDC Servers.
RDP to each Delivery Controller as a Citrix or local administrator Open Powershell type ‘asnp Citrix*’ type ‘Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $true’ |
![]() Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $true |
|
Note: You can verify if this was successful by running get-brokersite | ![]() |
If you want to learn more about Citrix NetScaler check out our online NetScaler course at www.mastersof.cloud
Sign-up to the Mastersof.cloud mailing list below to receive a free 200 page Citrix NetScaler Introduction guide!
[mc4wp_form id=”2763″]