Workspace App SAML Support

[John Kalleen]

Hey all, I hope someone has an answer different than what I think it is:

 

Situation: 

We use Azure MFA for our IDP, this is set up as a SAML server on our NetScaler gateway (12.1.49.23) and has been working just fine for receiver for web users connecting through the gateway to StoreFront.

Second factor on gateway is LDAP with passthrough to StoreFront.

We were told by product managers at Citrix that Workspace App (testing with 1809) was going to include native SAML support as long as we were on NetScaler 12.1.48 and higher. 

When I punch in the URL in the Workspace App prompt, I get the typical:

 

I would expect a redirection to Microsoft for authentication but this never happens. 

 

Tried:

Changing the SAML server binding on the NetScaler from redirect to post. Same issue.

Removed the SAML auth policy from the gateway VIP altogether. I get all the way through with LDAP and am able to launch apps.

 

Basically, I never get a prompt as long as a SAML is the first factor in the stack. Anyone else trying to do this?

Thanks...

 

[Aengus Moran1709153428]

I got this working for my scenario which is that Azure is the IDP, ie the user auth's to Azure where they also get an MFA challenge ... here is a fast reply on that config, apologies if not sufficient info right now ...

 

First, using Azure as the idp means the Netscaler is an SP, which means we will need the AAA feature/Enterprise license

https://docs.citrix.com/en-us/netscaler/12/aaa-tm/saml-authentication/netscaler-saml-sp.html

 

In the Netscaler Gateway you should have created a SAML Server and possibly an authentication Policy for Azure, how to is documented in several places, notably

https://www.carlstalhood.com/citrix-federated-authentication-service-saml/#samlflow

 

We can bind that auth policy to the Gateway VS and it will work nicely for web login but not for Receiver/Workspace.

 

As mentioned in posts above we need to do an nFactor setup to get Receiver connectivity so if you added the SAMl policy as a basic auth to your VS, remove the binding.

 

Netscaler 12.1 > Security > AAA - Application Traffic > Policies > Authentication > Advanced Policies > Policy > create a AAA Auth policy, the action is set as the Azure SAML server you have already configured, the expression would be TRUE.

 

Now create a AAA Server, use the same Server cert as you use for the Gateway VS, non addressable ip, and under advanced authentication policy, add the policy you created in the step above.

 

Now to the gateway virtual server where under “Authentication Profile”  you "add" a new Authentication profile and associate it with the AAA VS created in previous step.

 

save you config and you should now be able to connect using Receiver 14.12 client, Workspace 1812 client and via browser. (I also note the normal browser session policy works nicely for the clients, no need for a dedicated receiver session policy).

 

Our setup and requirements are basic and not exactly like yours so it wouldn't help exactly but hopefully it points you in the right direction.

Cheers,

Aengus

Edited February 6, 2019 by amoran393
grammar

[John Kalleen]

Got it working.

 

I updated our QA environment to 12.1. 50.31... prompts as I would expect and presents the apps and desktops.

 

I'm using nFactor with Azure MFA and a second factor LDAP for group extraction.

 

[Kamlesh Vishwakerma1709156589]

Hello jkallee408,

 

This is so far only available with Workspace App for Mac.

https://www.citrix.com/blogs/2018/09/18/saml-authentication-support-in-citrix-workspace-app-for-mac/

 

This might include in Workspace App for Windows, in near future but we do not have any update about it. 

[Vamsi Krishna1709162168]

Use Advance policies(nFactor) to configure.

 

Thanks,

Vamsi

Edited November 20, 2018 by vamsi1993krishna
Update information

[Aengus Moran1709153428]

On 14/11/2018 at 8:25 PM, Vamsi Krishna Kanduri said:

Use Advance policies(nFactor) to configure.

 

Thanks,

Vamsi

Can you elaborate?

Thanks,

Aengus

[Aengus Moran1709153428]

I have similar experience with 1810 and 12.1-48.13.

The Windows workplace client cant be configured to go direct to the NetScaler, can't even be configured with "activate" via the web interface.

I don't have a Mac to test with but on iOS I can get it setup and working with a manual setup but not with an automatic setup.

Aengus

[John Kalleen]

I have a long running case with Citrix. After two calls, they said they will call back with a NetScaler engineer.

 

I am using nFactor:

SAML (Microsoft MFA)

+

LDAP (Group Extraction)

 

[Michael Shuster1709152649]

One thing I've just come across is the presence of any subsequent session policies bound to the vServer containing EPA scans causing this error post-auth (noted this on 12.1 b50.28 specifically but suspect it was the same issue I was having on 50.31 post SAML auth). Even if the first bound policy is the Receiver policy, somehow the web policies with EPA scans on them are being evaluated and causing the connection to crap out post auth. As soon as those are unbound, Workspace App sets up the store no problem. Strangely none of this is a problem if reverting to basic auth. Going to investigate this with support.

[Michael Shuster1709152649]

Awesome, I'd still recommend keeping the Receiver policy in place though. Side note my issue above was resolved; bound policies (in our case EPA policies) cannot have a pipe in them ( II ) or it causes the error message. Doesn't matter if the Receiver policy gets hit first, mere presence of II in a bound policy expression created an issue. Also, found a potential bug in 12.1 b50.31, if using a custom theme and advanced policies, you may get a "cannot complete your request" message when visiting the page. Harmless error but confusing. Doesn't show up if using basic auth policies. Workaround for the moment is a downgrade or reverting to a default theme, but have a case opened with support. 

[Aengus Moran1709153428]

I had to upgrade my 12.1 48.13 Netscalers to 12.1 5.31 to get it to work.

Aengus

 

Update .. I'm now not 100% sure that 12.1 48.13 needed update, I found an issue where I had a custom portal page assigned to one VS and that was causing a problem, so if you are on 12.1 48.13 set your VS's portal page to default and test login before choosing the firmware update option.

[Darren Girling]

I've done the config and works 100% for web, however when attempting to use Workspace App 19.11 its goes through the login process successfully and when it redirects back to the Workspace App for application enumeration it keeps on providing an authentication popup box. I've tried manually authenticating, session policies are still split. Anyone have an article covering the Workspace App nFactor authentication configuration thats working?

 

 

 

[Andrej Cesanek1709161680]

On 2/6/2019 at 2:47 AM, Aengus Moran1709153428 said:

I got this working for my scenario which is that Azure is the IDP, ie the user auth's to Azure where they also get an MFA challenge ... here is a fast reply on that config, apologies if not sufficient info right now ...

 

First, using Azure as the idp means the Netscaler is an SP, which means we will need the AAA feature/Enterprise license

https://docs.citrix.com/en-us/netscaler/12/aaa-tm/saml-authentication/netscaler-saml-sp.html

 

In the Netscaler Gateway you should have created a SAML Server and possibly an authentication Policy for Azure, how to is documented in several places, notably

https://www.carlstalhood.com/citrix-federated-authentication-service-saml/#samlflow

 

We can bind that auth policy to the Gateway VS and it will work nicely for web login but not for Receiver/Workspace.

 

As mentioned in posts above we need to do an nFactor setup to get Receiver connectivity so if you added the SAMl policy as a basic auth to your VS, remove the binding.

 

Netscaler 12.1 > Security > AAA - Application Traffic > Policies > Authentication > Advanced Policies > Policy > create a AAA Auth policy, the action is set as the Azure SAML server you have already configured, the expression would be TRUE.

 

Now create a AAA Server, use the same Server cert as you use for the Gateway VS, non addressable ip, and under advanced authentication policy, add the policy you created in the step above.

 

Now to the gateway virtual server where under “Authentication Profile”  you "add" a new Authentication profile and associate it with the AAA VS created in previous step.

 

save you config and you should now be able to connect using Receiver 14.12 client, Workspace 1812 client and via browser. (I also note the normal browser session policy works nicely for the clients, no need for a dedicated receiver session policy).

 

Our setup and requirements are basic and not exactly like yours so it wouldn't help exactly but hopefully it points you in the right direction.

Cheers,

Aengus

 

Even it is older discussion, I want to confirm that Workspace app (today's version 2105) requires AAA virtual server with advanced authentication policy to make it working with SAML. So it's still valid point. To be honest, I like that AAA policy / approach, it offers more features afterwards, but be aware that AAA is NOT included in ADC's  Standard license.

One additional step you have to do before you bind AAA virtual server on Citrix Gateway virtual server: create authentication profile, which can be bound there.

[Mark Koncurat]

On 1/27/2020 at 2:11 AM, Darren Girling said:

I've done the config and works 100% for web, however when attempting to use Workspace App 19.11 its goes through the login process successfully and when it redirects back to the Workspace App for application enumeration it keeps on providing an authentication popup box. I've tried manually authenticating, session policies are still split. Anyone have an article covering the Workspace App nFactor authentication configuration thats working?

 

 

 

Did you ever resolve this?  We have the same issue.  (FYI, AAA is now included in the standard license in version 13.)

[Mitch Bonner]

On 9/16/2021 at 11:16 AM, Mark Koncurat said:

Did you ever resolve this?  We have the same issue.  (FYI, AAA is now included in the standard license in version 13.)

Did@Darren Girling  or@Mark Koncuratever resolve this issue? I'm running into the same issue.

 

Edit: I found the solution for my issue, was related to storefront's beacon configuration. 

Edited August 24, 2023 by Mitch Bonner
found solution