Skip to main content
Skip table of contents

Configure Citrix StoreFront to use SAML

Configure Citrix StoreFront to use the VeridiumID platform as an IdP (identity provider) for Citrix Storefront version 3.9 and later.
The installation steps for Citrix Storefront are fully documented on http://docs.citrix.com and this article assumes the reader is familiar with Citrix Storefront, and its configuration and terminology.

This procedure also provides SAML support for Citrix Receiver for Web and native Citrix Receiver for Microsoft Windows.

Configure the StoreFront Identity Provider Store

Before you begin

Download the idp-signing.crt certificate from the Veridium Admin Console by navigating to Configuration, SAML Configuration. At this screen hover over Change Configuration and select Download IDP Signing certificate
Copy the idp-signing.crt certificate to an accessible location on the machine running the StoreFront Administration Console. You access this certificate later in these procedures.

Procedure:

  1. Open the Citrix StoreFront Administration Console.

  2. Select the store you would like to enable for SAML authentication and then click Manage Authentication Methods on the right-side pane.

  3. Record the store name in the first column. You enter this name later.

  4. Select the checkbox next to SAML Authentication.

  5. Choose Identity Provider from the drop-down list.

  6. Populate the Address field as shown, replacing the url with the location value from the SSO session in the IDP metadata corresponding to the http-post binding method.

  7. If you haven't already, download the SAML signing certificate from the VeridiumID administration console (Settings -> SAML Configuration -> Download IDP Signing Certificate) and save to a suitable place like the NetScaler desktop where you can access it.

For Storefront use, you will need to rename the extension of idp-signing.crt into idp-signing.cer

You must be sure that the certificate is in X509/pem format and readable before importing into Storefront

Certificate must containg:

-----BEGIN CERTIFICATE-----

<CERTIFICATE CONTENT>

-----END CERTIFICATE-----

  1. In the Identity Provider dialog box Signing Certificates pane, click Import... and follow the prompts to import the SAML signing certificate.

Collect Metadata from StoreFront

Procedure:

  1. Using a browser, navigate to this location: https://**storefront-server-fqdn**/Citrix/**StoreNamefromStep2Above**Auth/SamlForms/ServiceProvider/Metadata.

  2. Depending on the browser configuration, a metadata file does one of the following:

    1. The file downloads to your desktop Downloads folder.

    2. The webpage displays the metadata (XML). In this case, copy the text to a text file and save it for later use.

After downloading the metadata file from Storefront make sure it has the file extension .xml

Add Storefront as a service provider

Procedure:

  1. In the Veridium Dashboard, navigate to Applications.

  2. Click the “Add SAML app” button.

  3. Enter a 'Service provider name'.

  4. For “Metadata Upload Type” choose “file”

  5. Click into 'Metadata File' and browse to the Storefront metadata file saved earlier. (Or drag and drop the metadata file saved earlier into this field).

  6. For 'NameID attribute', select userPrincipalName.

  7. Under "Attributes", make sure sessionid is added to the list.

  8. Click Save.

On Strorefront Delivery Controller - a separate server in most of the cases, you will need to connect with a Citrix Studio Adminstrator as a different user to open PowerShell.

you need to execute:

get-brokersite → if this returns an error, this means you aren’t connected on a Delivery controller, if there isn’t any error, proceed with the next commands:

ansp Citrix*

Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $true

IMPORTANT:

These last two commands must be executed on all Delivery Controllers

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close