Citrix Workspace with on-premises Citrix Gateway as Idp

Posted by

Citrix Workspace customers can now use their on-premises Citrix Gateway as their Idp.

Why would customers use an on-premises Citrix Gateway as Idp?

Lots of customers I speak to have already made an investment in on-premises Citrix ADC or Citrix Gateway, so it makes sense for them to want to utilise this investment.

Recently, Citrix announced a new capability which allows Citrix Workspace to use an on-premises Citrix Gateway as Idp. This new capability opens up a vast range of options that Gateway Service cannot currently provide. These options include using third party Idp such as Google, Ping, Okta as well as conditional access and various other authentication methods, such as RADIUS authentication, Smart-Card authentication and Pass-Through authentication (Windows Integrated).

This new capability requires Citrix ADC / Gateway version 12.1.53 or higher.

Let’s set this up.

1. Workspace Setup

Login to your Citrix Cloud management portal at https://citrix.cloud.com

Click on the top left hand side “Hamburger Menu” then choose on “Identity and Access Management”. See below.

On the “Identity and Access Management” page, scroll down to “Citrix Gateway” click the on the right hand side, and click connect. See below.

Enter the FQDN of your on-premises Citrix Gateway and click Detect. See below.

If the on-premises Citrix Gatway is detected, you sill see “Successfully detected” now click Continue. See below.

You are now provided with the following details:

  • A Client ID.
  • A Secret.
  • A Redirect URL.

These are required when creating an OAuth Idp profile on the on-premises Citrix Gateway. Leave this page open and Do not click “Test and Finish” yet. We need to configure the on-premisis Citrix Gateway first, and we need this data to do so (which is the next step). See below.

2. OAuth Idp Profile setup on the on-premises Citrix Gateway

Log into your on-premises Citrix Gateway management portal and navigate to “Configuration > Security > AAA Application Traffic > Policies > Authentication > Advanced Policies > OAuth IDP” click the Profiles tab then click Add to add a new OAuth Idp profile. See blow.

Here’s where we need the data from the Workspace Setup (Previous step).

The following needs to be added:

  1. Workspace Name = Choose a workspace name.
  2. Client ID = The client ID from the Workspace Setup (Copy and paste).
  3. Client Secret = The Secret from the Workspace Setup (Copy and paste).
  4. Redirect URL = The Redirect URL provided (Copy and Paste).
  5. Issuer Name = FQDN of the on-premises Citrix Gateway.
  6. Audience = The client ID from the Workspace Setup (Copy and paste).
  7. Tick “Send Password”.

Leave all other fields as default and click Create. See below.

Your new OAuth profile should be listed. See blow.

3. OAuth Idp Policy setup on the on-premises Citrix Gateway

Next we need to set up a OAuth Idp Policy on th on-premisis Citrix Gateway. Click the “Policies” tab and click Add. See below.

  • Enter a name for the new OAuth Policy.
  • In the action field, select the OAuth Profile you created prviously.
  • Type True in the expression field.

Leave all other fields as default and click Create. See below.

4. Bind OAuth Idp Policy to Authentication Virtual Server

Now we need to bind the OAuth Idp Policy to the Authentication Virtual Server on the on-premises Citrix Gateway.

Navigate to “Configuration > Security > AAA Application Traffic > Authentication Virtual Servers” and click to select your Authentication Virtual Server in the list. See below.

Click to select the OAuth Idp Policies under Advanced Authentication Policies. See Below.

Click Add Binding. See below.

Select the OAuth Idp Policy you created previously, change the Priority to 10 and click Bind. See below.

The OAuth Idp Policy is now bound to the Authentication Virtual Server and will be listed on the Authentication OAuth Idp Policy page. Once confirmed, click Close. See below.

5. Create and bind Authentication Profile to Citrix Gateway Virtual Server

If you haven’t already created an Authentication Profile, navigate to “Configuration > Security > AAA Application Traffic > Authentication Profile” and click Add. See below.

  • Enter a name for the Authentication Profile.
  • Enter the name of the Authentication Host (This is the name of you Authentication vServer.
  • Choose Virtual Server Type “Authentication Virtual Server”
  • Select your Authentication Virtual Server from the drop down menu.

Leave all other fields as default and click Create. See below.

We now need to bind the Authentication profile to the Citrix Gateway Virtual Server.

Navigate to “Configuration > Citrix Gateway > Citrix Gateway Virtual Servers” select the checkbox for your Citrix Gateway Virtual Server and click edit. See below.

Scroll down to Authentication Profile and click the edit icon. See below.

Select the Authentication Profile you created and click OK. See below.

The Authentication Profile should now be listed. See below.

Scroll to the bottom of the page and click Done to complete the configuration.

6. Bind certificate globally to VPN.

This step requires CLI access to the on-premises Citrix Gateway. Using Putty (or similar) login to the on-premises Citrix Gateway using SSH.

Once logged in, type show vpn global.

No certificate should be bound. See below.

Now type show ssl certkey to list the certificates on the on-premises Citrix Gateway. Choose the appropriate certificate and type the following command to bind it globally to VPN.

bind vpn global -certkey cert_key_name

(Where cert_key_name is the name of your certificate)

Now type show vpn global again, and the certificate should now be bound globally to VPN. See below.

7. Check NTP Server and Synchronization

It’s important to make sure that you have a valid NTP server configured, and the local clock is synchronized with it.

Navigate to “Configuration > System > NTP Servers” click Add. See below.

  • Add the address of the NTP Server you wish to use. (IP or FQDN).

Leave all other fields as default and click Create. See below.

The NTP Server you just created will now be listed under NTP Servers. See below.

To synchronize the Citrix ADC local clock with the NTP Server, select the checkbox of the NTP Server, click the Select Actions drop down menu and click NTP Synchronization. See below.

Enable NTP Synchronization and click OK. See below.

8. Check AD User properties

On your domain controller, open up AD Users and Computers. Double check that the following user properties are populated for all Workspace user objects:

  • Email address.
  • Display name.
  • Common name.
  • SAM account name.
  • User Principal Name.
  • OID.
  • SID.

9. Complete Workspace configuration

Now we need to go all the way back to Citrix Workspace and click the “Test and Finish” button. See below.

We should now see the Citrix Gateway listed as “connected” under Identity and Access > Authentication. See below.

Now that we have configured the Citrix Gateway as an Idp option, the final step is to enforce this authentication method within the Workspace Configuration in order to use it.

Click on the top left hand side “Hamburger Menu” then click “Workspace Configuration”. See below.

Select the “Authentication” tab and choose “Citrix Gateway” as the authentication method that your subscribers will use to sign in to their Workspace.

Click the radio button to acknowledge the warning box regarding user experience. See below.

You have now successfully completed all steps required to use your on-premises Citrix ADC / Gateway as Idp with Citrix Workspace 🙂

All that’s left to do is to test it out.

10. Completed

To test, open up Workspace. When a user attempts to open their workspace, either through the HTML5 version or an installed version of Workspace App, they will be redirected to the on-premises Citrix Gateway for authentication. See below.

Once authenticated, the user will be redirected back to their Workspace. See below.

One comment

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.