Citrix DaaS – NetScaler as IdP with OAuth to Azure AD

Reading Time: 2 minutes

Table of Contents

Overview

This is a Quickpost about a desired architecture with Citrix DaaS, where a NetScaler is acting as OAuth IdP (DaaS Workspace Authentication is set to Citrix Gateway or Adaptive Authentication) and is acting as OAuth SP to Azure AD simultaneously.

The goal is to use OnPrem AD group extraction first, followed by authentication to Azure AD, followed by redirect to Cloud Workspace. Why? Because the customer wants to go full with OAuth / OpenID Connect instead of SAML. It’s cert-renewal is easier and there’s the login_hint subject field support, which helps your users don’t have to enter their UPN more than one time.

Issue

The setup isn’t that complicated. On the AAA vServer, there’s the OAuth IdP Policy for Citrix DaaS:

OAuth IdP for Citrix DaaS

And there’s a no-auth group extraction LDAPS Policy followed by the OAuth SP Policy linked to Azure AD:

LDAPS Group Extraction followed by OAuth SP to Azure AD

You may noticed the image of this post, containing the error message from Azure AD. Spoiler Alert! This configuration is currently not working. I’ve reported and traced the issue to Citrix Product Management and Engineering Team. They were able to reproduce the issue and raised an internal JIRA ticket NSAUTH-13209 for process tracking.

The state parameter in the request adds a lot of characters, to many for Azure AD, that’s why the error is shown. Removing the state parameter produces a successful authentication with Azure AD, but a failure on Cloud Workspace, as the missing state info contains required redirect uri informations.

To fix that, it will require a considerable code change in NetScaler and maybe some enhancement on Citrix’ Workspace Authentication Frontend – Athena.

Summary

As soon as I am able to publish a predictable estimated time of accomplishment, this Post gets updated. In the meantime you have to go with SAML for that scenario to work (But make sure to prevent a possible session takeover). Sorry!

Leave a Reply

Your email address will not be published. Required fields are marked *