Citrix FAS and SSO passthrough

[Georg Hoeher]

Hello,

 

I have two questions regarding Citrix FAS.

Consider the following Scenario:

I have an internal Active Directory and a Citrix Xenapp 7.13 Site in a DMZ with a separate Active Directory.

I implement the Citrix FAS solution.

 

Is it possible to configure a SSO passthrough to the Storefront so that the user don't have to enter any Credentials when comming from the internal Network?

 

 

If we extend the Scenario to Azure AD and Azure AD contains synced users from my internal AD and Azure AD is used as IdP for FAS, is SSO passthrough possible in such a scenario?

 

 

Kind regards

Georg

 

[CarlStalhood]

The two AD domains are in separate untrusted forests?

 

If so, configure ADFS internally. ADFS supports pass-through auth. Then ADFS will present claims to Citrix FAS in the DMZ to allow authentication with using shadow accounts in the DMZ forest.

 

If you are doing ADFS federation with Azure AD, then ADFS can handle pass-through auth. I don't think Azure AD can do pass-through auth on its own.

[Mayur Patel1709151416]

This is an old post - I have 2 standalone (untrusted) AD domains in different network subnets which are firewalled.

 

I would like  to be able to enable users from the untrusted Domain - A to be able to logon to the resource Domain - B which hosts the Citrix Hosted Apps and VDI environment/Hypervisor etc.

 

Carl:- I cover your blogs regularly and you do a fantastic job on sharing your wealth of knowledge of Citrix and other products, keep up the good work!

 

If you know where I could find a guide for setting up a PoC environment. it will be greatly appreciated- most of the blogs I have found seem to only cover cloud based ADFS and Citrix FAS for Azure and Google 2FA.

 

Thanks

MP

[William Chu]

so what if i have 2 domains with 2-way trusted external trust type (as its just single layer forest/domain)

-domain a (where all the citrix server reside)

-domain b

 

are shadow account still required?

 

because ic ant open any apps logged in as a domain b user, unless a shadow account is created in domain a.

but i have full 2 way trust which i dont get; as i can manually request a random test cert from domain b as a domain b user - teh cert being from domain a. But the citrix_smartcardlogon template refuses to issue cert for domain b user when going through openign apps.

 

details here:

https://discussions.citrix.com/topic/389162-cannot-start-app-fas-federated-saml-cannot-issue-certificate-for-different-domain-user/

[Jim McKelvie1709159887]

On ‎12‎/‎07‎/‎2017 at 3:40 AM, Mayur Patel1709151416 said:

This is an old post - I have 2 standalone (untrusted) AD domains in different network subnets which are firewalled.

 

I would like  to be able to enable users from the untrusted Domain - A to be able to logon to the resource Domain - B which hosts the Citrix Hosted Apps and VDI environment/Hypervisor etc.

 

Carl:- I cover your blogs regularly and you do a fantastic job on sharing your wealth of knowledge of Citrix and other products, keep up the good work!

 

If you know where I could find a guide for setting up a PoC environment. it will be greatly appreciated- most of the blogs I have found seem to only cover cloud based ADFS and Citrix FAS for Azure and Google 2FA.

 

Thanks

MP

 

MP, did you ever find a guide please?

thanks.