Connecting Citrix StoreFront with DigitalPersona STS

The following sections describe how to integrate Citrix® StoreFront® with DigitalPersona STS using AD FS enabling the use of DigitalPersona’s multi-factor authentication.

If AD FS is not available, contact DigitalPersona customer support for an alternative solution of SAML2P protocol usage.

This sample integration is illustrated using the following data:

  • Domain name: DC3.COM

  • ADFS location: adfs.dc3.com

  • DigitalPersona STS location: dpsts.dc3.com

  • StoreFront location: sf.dc3.com

Note: The most important section is StoreFront: Enable SAML Authentication. Use of the information in the other sections may vary depending on your specific configuration and should be adjusted by IT personnel accordingly. It is provided here only as an example of one possible simple configuration.
Prerequisites: The following software applications and components must be installed and properly configured prior to beginning integration:

  • Citrix Directory Controller

  • Citrix StoreFront

  • Citrix VDAs

  • Certificate Authority (only for FAS)

  • Microsoft AD FS

  • DigitalPersona Web Management Components (WMC)

  • HID DigitalPersona Web Access Management

  • HID DigitalPersona Security Token Service (STS)

    HID DigitalPersona Security Token Service (STS) must be registered in ADFS as a claim provider. For detailed instructions on how to install and configure the DigitalPersona Web Management Components, see Installing the Web Management Components.

    Optionally, instead of using the DigitalPersona Web Management Components, you can use the DigitalPersona ADFS Extension, which adds multi-factor authentication (fingerprints, OTP, face, and passkeys (device-bound and synced)) to an ADFS environment. For details, see Integrating the DigitalPersona ADFS Extension.

    ADFS and StoreFront configuration will remain the same.

Configure Basic SAML Authentication

AD FS: Export the Signing Certificate

  1. In AD FS, select Service then Certificates.

  2. In the middle Certificates panel, right-click on the Token-signing certificate and select View Certificate.

  3. On the Certificate dialog, select the Details tab. Then click Copy to File.

  4. The Certificate Export Wizard appears. On the first page, click Next.

  5. On the Export File Format page, select DER encoded binary X.509 (.CER) as the format and click Next.

  6. On the File to Export page, enter the certificate file name and the location to export it to, click Save, and then click Next.

  7. Click OK, and then on the final page, click Finish to complete the export.

StoreFront: Enable SAML Authentication

In StoreFront, enable SAML authentication and provide ADFS parameters.

  1. Open the StoreFront Management console, select the store you want to configure and choose Manage Authentication Methods.

  2. Click the SAML Authentication option to enable the authentication method and click on the down arrow and select Identity Provider.

  3. On the Identity Provider dialog:

    • Select Post for SAML Binding

    • For the Address, enter https://adfs-domain-name/adfs/ls/

    • Under Signing Certificates, click Import and select the certificate from the previous step.

  4. Next, select Service Provider.

  5. For the Service Provider Identifier, enter http://storefront-domain-name/Citrix/Authentication

  6. Also check that SAML authentication is enabled for Web Receivers as well:

    1. In Citrix Studio, select a Store.

    2. In the Actions panel, select Manage Receivers for Web Sites.

    3. On the Authentication Methods tab, ensure that SAML Authentication is checked and then click OK.

  7. Run the following PowerShell script to enable Pass-through authentication:

    Copy 
    Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $true

AD FS: Add a New Relying Party Trust

  1. In the AD FS Console, select Relying Party Trusts.

  2. In the Actions panel, select Add Relying Party Trust.

  3. In the Add Relying Party Trust Wizard, select Claims aware and click Next.

  4. Select Import data .... published online and enter the Citrix SAML metadata URL, then click Next.

    URL: https://storefront-domain-name/Citrix/Authentication/SamlForms/ServiceProvider/Metadata

  5. On the next page, specify a Display name for this relying party and click Next.

  6. Choose an Access Control Policy and click Next.

  7. Review the proposed changes and click Next.

  8. On the Finish page, ensure that the Configure claims issuance policy for this application is selected and click Close.

AD FS: Add Claims Issuance Rules

  1. In the AD FS Console navigation window, select Relying Party Trusts and select the created relying party trust.

  2. In the Actions panel, select Edit Claim Issuance Policy.

  3. In the Edit Claim Issuance Policy ... dialog, click Add Rule to display the Add Transform Claim Rule Wizard.

  4. On the Select Rule Template page of the wizard, select Send Claims Using a Custom Rule and click Next.

  5. Enter the following custom rule.

    Copy 
    c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"] => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Value = c.Value);

  6. Click Finish and then on the final page of the wizard, click OK.

  7. Execute the PowerShell code shown below to specify a default claim provider for StoreFront. Use the name of the created relying party for the TargetName parameter:

    Copy 
    Set-AdfsRelyingPartyTrust -TargetName sf.dc3.com -ClaimsProviderName "DigitalPersona STS"

Testing

Use the built-in test app to test this feature.

  1. Navigate to https://storefront-domain-name/Citrix/Authentication/SamlTest

  2. Authenticate in DigitalPersona STS.

  3. Navigate to https://storefront-domain-name/Citrix/StoreWeb/

  4. Check that authentication works and users can open the StoreFront home page.

Configure the Federated Authentication Service

At this point, a user must authenticate twice. The first authentication is when signing in to the StoreFront website. The second authentication is needed to launch a remote app or open a remote desktop.

However, using Citrix Federated Authentication Service (FAS) it is possible to configure SSO-like behavior so that a user only needs to authenticate once, i.e. the second authentication is not required.

Install FAS

  1. Run the Citrix Installer.

  2. Select the Federated Authentication Service.

  3. Complete the installation using all default settings.

Configure the GPOs

  1. Deploy the required GPO templates by copying the ADMX files from C:\Program Files\Citrix\Federated Authentication Service\PolicyDefinitions to C:\Windows\PolicyDefinitions

  2. Navigate to the Federated Authentication Service policy and edit the GPO.

    Apply this GPO setting to all StoreFront servers, all FAS servers, and all VDAs.

  3. Open the Federated Authentication Service policy and select Enabled. This allows you to select the Show button, where you configure the FQDNs of your FAS servers.

Configure FAS

  1. Launch the Citrix FAS Administration Console and on the Initial Setup tab, complete the following steps.

    1. To Deploy certificate templates, click Deploy then click OK.

    2. To Set up a certificate authority, click Publish, select your certificate authority and click OK.

    3. To Authorize this service, click Authorize, select your certificate authority and click OK.

      This step initiates the authorization of FAS. The administration console uses the Citrix_RegistrationAuthority_ManualAuthorization template to generate a certificate request, and then sends it to one of the certificate authorities that are publishing that template.

      After the request is sent, it appears in the Pending Requests list of the Microsoft Certification Authority console as a pending request from the FAS machine account. The certificate authority administrator must issue or deny the request before configuration of FAS can continue.

      The FAS administration console displays a busy ‘spinner’ until the administrator chooses Issue or Deny.

      In the Microsoft Certification Authority console:

      1. Select Pending Requests.

      2. Right-click the pending request and select All Tasks then Issue.

        The authorization certificate will be issued and displayed.

  2. Return to the FAS Administration Console and click Refresh.

  3. To create a rule, click Create to start the Rule Creation wizard which gathers information to create the rule.

  4. Use the following sample data:

    • Rule name: default

    • Template: Citrix_Smartlogon

    • Certificate authority: <Select your CA>

  5. On the Access Control page, click Manage StoreFront access permissions.

  6. In the Permissions for StoreFront Servers dialog, select Allow next to Assert Identity and then click OK.

  7. In the Create Rule wizard, click Next.

  8. On the Restrictions page, click Next.

  9. On the Summary page, click Create.

Activate FAS

Run the following PowerShell script to connect the configured FAS and StoreFront:

Copy 
$StoreVirtualPath = "/Citrix/Store"
$store = Get-STFStoreService -VirtualPath $StoreVirtualPath
$auth = Get-STFAuthenticationService -StoreService $store
Set-STFClaimsFactoryNames -AuthenticationService $auth -ClaimsFactoryName "FASClaimsFactory"
Set-STFStoreLaunchOptions -StoreService $store -VdaLogonDataProvider "FASLogonDataProvider"

Testing

  1. Navigate to https://storefront-domain/Citrix/StoreWeb/

  2. Authenticate once in DigitalPersona STS.

  3. Run any app from the StoreFront portal.

The remote app should work without additional authentication.