Jump to content


Photo

NetScaler 11 VPX/XA 7.9/SF 7.9 Environment - Authentication with IBM Identity Management

Started by Callum Dunbar , 11 April 2017 - 02:28 PM
3 replies to this topic

Callum Dunbar Members

Callum Dunbar
  • 20 posts

Posted 11 April 2017 - 02:28 PM

Hi,

 

A pretty general question...but I'm looking into a request to hook up our Citrix environment to possibly authenticate with something other than AD. Specifically, whether it's possible to configure the NetScaler/StoreFront to authenticate with the IBM suite of identity management solutions.

 

Does anybody have any experience of this or know whether it's even possible?

 

Thanks.



Carl Stalhood CTP Member

Carl Stalhood
  • 11,574 posts

Posted 11 April 2017 - 02:46 PM

Through SAML and Citrix Federated Authentication Services, yes. Assuming the iDP can send you an email address that matches a UPN for a user in your AD.

 

You can't completely avoid AD. VDAs must be joined to AD. Controllers must be joined to AD.



Callum Dunbar Members

Callum Dunbar
  • 20 posts

Posted 11 April 2017 - 03:21 PM

Hi Carl,

 

Thanks for the response.

 

In this case then, the iDP would be the IBM identify management product (TFIM). So the NetScaler would be passed a SAML token which has come from the iDP, according to the diagram I see here https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-9/secure/federated-authentication-service.html, the NetScaler still then does a lookup to an AD server?

 

The Citrix Federated Authentication Service then requests a cert from the CA, I'm a little unclear as to how the links with the iDP though?

 

Are you able to clarify?

 

Thanks.



Carl Stalhood CTP Member

Carl Stalhood
  • 11,574 posts

Posted 11 April 2017 - 03:50 PM

Your iDP sends an attribute (typically email address) as the Name ID. NetScaler sends this Name ID to StoreFront. StoreFront looks in AD for a user account that has a userPrincipalName that matches the Name ID. You typically have to add UPN suffixes to AD and configure your AD accounts with the UPN suffix. http://www.carlstalhood.com/citrix-federated-authentication-service-saml/#activedirectory