Skip to main content
Skip table of contents

VeridiumID SSO for Citrix plugin

VeridiumiD SSO for Citrix vs Citrix Federated Authentication Service (FAS)

When you perform passwordless authentication at either Netscaler or Storefront, "VeridiumID SSO for Citrix" is required. This is delivered as part of the VeridiumID platform and offers a secure, single-vendor solution, negating the requirement for the Citrix Federated Authentication Service.
If you have already deployed the Federated Authentication Service (FAS) and would like to continue using it, please ensure FAS is enabled on the Store you configured during the process above. Please refer to this Citrix article should you need support
https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-15-ltsr/secure/federated-authentication-service.html#enable-the-federated-authentication-service-plug-in-on-a-storefront-store.

The Guide assumes you already installed the credential provider on the VDA

To Deploy VeridiumID SSO for Citrix, please follow these steps:

Deploy VeridiumiD SSO for Citrix

Procedure:

  1. Install the VeridiumCitrix.msi on the Storefront server.

  2. Open Powershell with admin rights and run the following commands:

    CODE
    cd "C:\\Program Files\\Citrix\\Receiver StoreFront\\Scripts"
    ./ImportModules.ps1

    If you have multiple Storefront stores with a shared authentication service, proceed to step 4. If not, go to step 6.

  3. Run these commands, replacing <StoreName> with the name of the store that hosts the shared authentication service

    CODE
    $siteId = "1"
    $StoreName = "<<StoreName>>"
    $StoreVirtualPath = "/Citrix/" + $StoreName
    $AuthVirtualPath = $StoreVirtualPath + "Auth"
    Install-VeridiumFasLogonDataProvider –siteId $siteId –virtualPath  $StoreVirtualPath
    Install-VeridiumFasClaimsFactory –siteId $siteId –virtualPath $AuthVirtualPath
    $store = Get-STFStoreService –VirtualPath $StoreVirtualPath
    $auth = Get-STFAuthenticationService –VirtualPath $AuthVirtualPath
    $auth.AuthenticationOptions.CollectFasEvidence = $true
    $auth.Save() 

  4. Please run this command, as many times as necessary, replacing <StoreName> with the name of the other stores that use the shared authentication service.

    CODE
    Install-VeridiumFasLogonDataProvider –siteId $siteId –virtualPath /Citrix/<<StoreName>>

    For example, if you have three additional stores sharing the authentication service store1, store2, store3 run this:

    CODE
    Install-VeridiumFasLogonDataProvider –siteId $siteId –virtualPath /Citrix/store1
    Install-VeridiumFasLogonDataProvider –siteId $siteId –virtualPath /Citrix/store2
    Install-VeridiumFasLogonDataProvider –siteId $siteId –virtualPath /Citrix/store3

  5. If your Storefront stores have their own authentication service (out-of-the-box Citrix config) please run these commands for each store, replacing <StoreName> accordingly:

    CODE
    $siteId = "1"
    $StoreName = "<<StoreName>>"
    $StoreVirtualPath = "/Citrix/" + $StoreName
    $AuthVirtualPath = $StoreVirtualPath + "Auth"
    Install-VeridiumFasLogonDataProvider –siteId $siteId –virtualPath  $StoreVirtualPath
    Install-VeridiumFasClaimsFactory –siteId $siteId –virtualPath $AuthVirtualPath
    $store = Get-STFStoreService –VirtualPath "/Citrix/<<StoreName>>"
    $auth = Get-STFAuthenticationService –StoreService $store
    $auth.AuthenticationOptions.CollectFasEvidence = $true
    $auth.Save()

  6. Unfortunately, Citrix do not automatically map DLL versions to deal with backwards and forwards compatibility. Therefore, in every store where the plugin was enabled,, you need to edit web.config in this directory C:\inetpub\wwwroot\Citrix\**Auth, where ** = the store name.

  7. Please note, if you use a shared authentication service (step 4 above) you will only do this in the web.config in the auth directory for the store that hosts the authentication service. This will be obvious, as when a store shares an authentication service it does not have an auth directory.

If you do NOT have a shared authentication service (step 6), do this in the web.config in the **Auth directory for every store that will use "FAS-Less".

On your storefront servers - open PowershellISE and run below command to have recovered the newVersion value that will be required to be updated into C:\inetpub\wwwroot\Citrix**Auth\ web.config file:

CODE
$xmlFileName = $env:windir+"\Microsoft.NET\Framework\v4.0.30319\Config\machine.config"
[xml]$xmlDoc1 = Get-Content $xmlFileName
$node = $xmlDoc1.SelectNodes('//configuration/runtime')
$text = $node.Item(0).ChildNodes.Item(0).ChildNodes
$x = $text | select -ExpandProperty ChildNodes
$k = $x | Where name -eq 'Citrix.Storefront.Authentication.Saml'
echo $k.NextSibling.newVersion



In web.config, please add the following after the other dependent assemblies towards the end of the file replacing "newVersion" with the version as specified for Citrix.DeliveryServices.Authentication.Saml20 within C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config.

CODE
<dependentAssembly>
	<assemblyIdentity name="Citrix.DeliveryServices.Authentication.Saml20" publicKeyToken="e8b77d454fa2a856" culture="neutral" /><bindingRedirect oldVersion="3.21.0.0" newVersion="3.22.0.0" />
</dependentAssembly>
<dependentAssembly>
<assemblyIdentity name="Citrix.DeliveryServices.Authentication.Fas" publicKeyToken="e8b77d454fa2a856" culture="neutral" /><bindingRedirect oldVersion="3.21.0.0" newVersion="3.22.0.0" />
</dependentAssembly>
<dependentAssembly>
<assemblyIdentity name="Citrix.DeliveryServices.Authentication.Saml20.Configuration" publicKeyToken="e8b77d454fa2a856" culture="neutral" /><bindingRedirect oldVersion="3.21.0.0" newVersion="3.22.0.0" />
</dependentAssembly>

Install Credential Provider on Citrix VDA

Procedure:

  1. Install the VeridiumID Credential Provider version (As described in the document VeridiumID Active Directory Configuration) Do not reboot

  2. Edit registry as shown here:
    Location:

    CODE
    HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Citrix Virtual Desktop Agent\Authentication\HdxCredentialSelectorPlugins

    Add String: NAME VeridiumAuth
    VALUE {b311c8b4-73f2-4c2f-bc92-fafc00acdc5b}

  3. Reboot machine VDA

At this point, you should be able to successfully login to a Storefront store via VeridiumID (SAML), launch the desktop and be signed in without an additional authentication prompt.
The following steps relate to when you want the same experience when logging into Storefront via Netscaler Gateway (remote user use case).

VeridiumID SSO configuration for Netscaler

If you use Netscaler for remote access, you will need to configure the Netscaler to send the SAML assertion to Storefront.
Please run this command in the Netscaler Shell (This is not possible in the GUI)
set samlAction <saml-action-name> -storeSAMLResponse ON
Where <saml-action-name> is the name of the SAML action bound to the authentication policy.

Uninstalling the Plugin

Run Powershell as admin replacing the placeholder with the name of the store that holds the auth service. If you do not have a shared authentication service (step 4) this will just be the standalone store name.
Open Powershell with admin rights and run the following commands:

CODE
cd "C:\Program Files\Citrix\Receiver StoreFront\Scripts"
./ImportModules.ps1
$siteId = "1"
$StoreName = "<<replacewithauthstorename>>"
$StoreVirtualPath = "/Citrix/" + $StoreName
$AuthVirtualPath = $StoreVirtualPath + "Auth"
uninstall-VeridiumFasLogonDataProvider –siteId $siteId –virtualPath  $StoreVirtualPath
uninstall-VeridiumFasClaimsFactory –siteId $siteId –virtualPath $AuthVirtualPath   

If you do have a shared authentication service, you will also need to remove the VeridiumFasLogonDataProvider from the connected stores.

CODE
uninstall-VeridiumFasLogonDataProvider –siteId $siteId –virtualPath /Citrix/<store_name>

Important: Close open Powershell windows and the Storefront MMC if open. This is very important.
Go to add/remove programs and uninstall the VeridiumID Authentication Service Plugin

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.