PhenixID

Step by Step – Citrix Cloud MFA and SSO with PhenixID Authentication Services

Summary

This document will guide you through the steps to enable multi-factor authentication and SSO for Citrix Cloud.

System Requirements

  • PhenixID Authentication Services 4.0 or higher
  • Citrix Cloud administrative rights.
  • Citrix Cloud connectivity to Active Directory (LDAP or cloud connector)
  • PhenixID Authentication Services connectivity to Active Directory (LDAP)

Instruction

Configure PhenixID Authentication Services as Identity Provider

  1. Setup PhenixID Authentication Services as a SAML IdP using one of the Federation scenarios described here. (If the desired authentication method is not provided by a scenario, use the documentation for the SAML authenticator here)
  2. Go to Scenarios->Federation-><YOUR_IDP>->Execution Flow
  3. Make the following adjustments:
    1. Fetch these attributes from Active Directory:
      userPrincipalName,givenName,sn,mail,objectSid,objectGUID
    2. Add these attributes as binary attributes:
      objectSid,objectGUID
    3. Click Add valve. Enter PropertySIDBinaryToStringValve. Add these parameters:
    4. Move the newly added valve to be executed after LDAPSearchValve.
    5. Click Add valve. Enter PropertyGUIDBinaryToStringValve. Add these parameters:
    6. Move the newly added valve to be executed after LDAPSearchValve.
    7. Click AssertionProvider
    8. Set NameID Attribute = userPrincipalName
    9. Set additional attributes = userPrincipalName,mail,givenName,sn,sid,oid

  4. Save.
  5. Then export your SAML IdP metadata by going to the URL:
    https://<YourServerDomainName>/saml/authenticate/<authenticator_alias>?getIDPMeta
    and download the metadata to a xml file, idp.xml.

Configure Citrix Cloud

The instruction below is based on the official Citrix documentation. Read the documentation for detailed requirements.

  1. Follow the steps at https://docs.citrix.com/en-us/citrix-cloud/citrix-cloud-management/identity-access-management/saml-identity.html#configure-the-saml-provider-metadata -> Create a SAML connector application
  2. Continue with https://docs.citrix.com/en-us/citrix-cloud/citrix-cloud-management/identity-access-management/saml-identity.html#configure-the-saml-provider-metadata -> Add SAML provider metadata to Citrix Cloud :
    1. Open idp.xml in a text editor
    2. Copy the entityID value
    3. Paste the value to the entityID field
    4. Copy the SingleSignOnService->location value
    5. Paste the value to the SSO Service URL field
    6. Select Binding mechanism = POST
    7. Select SAML Response = Signed response
    8. Export the IdP SAML Signing certificate to a file by following this instruction.
    9. Select Upload file and point the the newly created certificate file
    10. Select Authentication Context = Unspecified / Minimum
    11. Set Logout URL = https://<idp_domain>/saml/authenticate/logout/
    12. Set attribute names:
      1. User Display Name = displayName
      2. User Given Name = givenName
      3. User Family Name = sn
      4. Security identifier = sid
      5. User Principal Name = userPrincipalName
      6. Email = mail
      7. AD Object identifier = oid
    13. Save the config
  3. Enable SAML for Workspaces

Add Citrix Cloud as a trusted Service Provider to PhenixID Authentication Services

  1. Login to configuration manager
  2. Scenarios->Federation
  3. SAML Metadata upload
  4. Enter a name. Click Next
  5. Add the Citrix Cloud metadata url (currently https://saml.cloud.com/saml/metadata).
    (If your PhenixID Authentication Services server is not able to reach external resources, browse to https://saml.cloud.com/saml/metadata on another device and download the metadata to a file. Then upload the file in the SAML Metadata upload scenario).

Test

Browse to your Citrix Cloud instance.

You should be redirected to PhenixID Authentication Services.

Authenticate.

You should be redirected back to Citrix Cloud.

You should now be logged in to Citrix Cloud with the correct permissions.

Debug

Add a SAML message debug tool, such as SAML Tracer, to your web browser.

Enable the SAML message debug tool and perform the authentication again to verify that the SAML message contains all information necessary.

Verify

DISCLAIMER
Information provided in this document is for your information only. PhenixID makes no explicit or implied claims to the validity of this information. Any trademarks referenced in this document are the property of their respective owners.

The origin of this information may be internal or external to PhenixID. PhenixID makes all reasonable efforts to verify this information.

PhenixID - support.phenixid.se