Table of Contents
Overview
This is a Quickpost about a desired architecture with Citrix DaaS, where a NetScaler is acting as OAuth IdP (DaaS Workspace Authentication is set to Citrix Gateway or Adaptive Authentication) and is acting as OAuth SP to Azure AD simultaneously.
The goal is to use OnPrem AD group extraction first, followed by authentication to Azure AD, followed by redirect to Cloud Workspace. Why? Because the customer wants to go full with OAuth / OpenID Connect instead of SAML. It’s cert-renewal is easier and there’s the login_hint subject field support, which helps your users don’t have to enter their UPN more than one time.
Issue
The setup isn’t that complicated. On the AAA vServer, there’s the OAuth IdP Policy for Citrix DaaS:

And there’s a no-auth group extraction LDAPS Policy followed by the OAuth SP Policy linked to Azure AD:

You may noticed the image of this post, containing the error message from Azure AD. Spoiler Alert! This configuration is currently not working. I’ve reported and traced the issue to Citrix Product Management and Engineering Team. They were able to reproduce the issue and raised an internal JIRA ticket NSAUTH-13209 for process tracking.
The state parameter in the request adds a lot of characters, to many for Azure AD, that’s why the error is shown. Removing the state parameter produces a successful authentication with Azure AD, but a failure on Cloud Workspace, as the missing state info contains required redirect uri informations.
To fix that, it will require a considerable code change in NetScaler and maybe some enhancement on Citrix’ Workspace Authentication Frontend – Athena.
Summary
As soon as I am able to publish a predictable estimated time of accomplishment, this Post gets updated. In the meantime you have to go with SAML for that scenario to work (But make sure to prevent a possible session takeover). Sorry!