PhenixID

Step by Step – Citrix Storefront MFA and SSO with PhenixID Authentication Services

Summary

This document will guide you through the steps to enable multi-factor authentication and Single-Sign On for Citrix StoreFront (https://docs.citrix.com/en-us/storefront/current-release.html) using SAML2.

 

System Requirements

  • PhenixID Authentication Server 2.8 or higher
  • Citrix StoreFront version 3.9 or higher
  • StoreFront administration rights
  • The users to be federated must be present in LDAP store connected to StoreFront (usually Active Directory)

Instruction

Overview

This document will guide you through the steps to enable multi-factor authentication and Single-Sign on for Citrix StoreFront .

PhenixID Server acting as SAML IdP

  1. Setup PhenixID Authentication Services as a SAML IdP using one of the Federation scenarios described here. (If the desired authentication method is not provided by a scenario, use the documentation for the SAML authenticator here)
  2. Depending on your setup, fetch the AD userID value from the appropriate attribute (typically  sAMAccountName or userPrincipalName) on the user object.
  3. Use sAMAccountName/userPrincipalName as Name ID attribute.
  4. Go to Scenarios->Federation-> <newly_added_scenario> -> Identity Provider. Deselect “Require signed requests”. Save.
  5. Then export your SAML IdP metadata by going to the URL:
    https://<YourServerDomainName>/saml/authenticate/<authenticator_alias>?getIDPMeta
    and download the metadata to a xml file.
  6. Save the IDP Signing Certificate as a file (follow this instruction)
  7. Fetch the IdP entityID value (see below).
  8. Fetch the IdP Post SSO value (see below).

  9. Click Execution Flow
  10. Expand the execution flow containing the AssertionProvider valve
  11. Expand the AssertionProvider valve
  12. Add two keys under Miscellanous
    1. signMessage = false
    2. signAssertion = true
  13. Click Save

Configure Citrix StoreFront

  1. Open the StoreFront management console
  2. Select the store that you wish to use SAML for
  3. Click Manage authentication methods
  4. Select SAML Authentication -> Identity Provider
  5. This dialog will appear.

    Enter the following values:
    – SAML Binding = Post
    – Address = <Enter the IdP Post SSO value fetched in previous step>
    – Signing Certificates = Click Import and upload the cert fetched in previous step (IDP Signing Certificate)
  6. Click OK
  7. Select SAML Authentication -> Service Provider

    – Export Signing Certificate = Click browse and select certificate
    – Service Provider Identifier = Leave default value
  8. Click OK.
  9. Browse to https://<storefront_domain_name>/Citrix/StoreAuth/SamlForms/ServiceProvider/Metadata to display StoreFront SAML Service Provider metadata
  10. Save the metadata as an xml file (StoreFront.xml)

Add trust to Citrix StoreFront on PhenixID Authentication Services

  1. Login to configuration manager
  2. Open Scenarios->Federation->SAML Metadata upload
  3. Click the plus sign
  4. Add StoreFront SAML SP Metadata by uploading the file downloaded in previous step (StoreFront.xml)

Test

  1. Browse to your Citrix StoreFront site
  2. This should result in a redirect to PhenixID Authentication Server
  3. Authenticate
  4. If authentication was successful, a redirect to StoreFront should occur (with SAML assertion)
  5. The user should now be logged in.

Troubleshooting

  • If error message is presented on PhenixID Authentication Services page, please check server.log for details.
  • If error message is presented on Citrix StoreFront page, please check Windows Server event viewer for details.

DISCLAIMER
Information provided in this document is for your information only. PhenixID makes no explicit or implied claims to the validity of this information. Any trademarks referenced in this document are the property of their respective owners.

The origin of this information may be internal or external to PhenixID. PhenixID makes all reasonable efforts to verify this information.

PhenixID - support.phenixid.se