Citrix Federated Authentication Service (SAML) 2006

Last Modified: Jul 1, 2020 @ 5:58 am


This article applies to Federated Authentication Service (FAS) versions 2006, 1912 LTSR CU1, 7.15.6000 (LTSR), and all other versions 7.9 and newer.

Change Log


Citrix Federated Authentication Service (FAS) enables users to log in to Citrix Gateway and Citrix StoreFront using SAML authentication.

With SAML, Citrix Gateway and StoreFront do not have access to the user’s password and thus cannot perform single sign-on to the VDA. FAS works around this limitation by using issuing certificates that can be used to logon to the VDA.

  • StoreFront asks Citrix Federated Authentication Service (FAS) to use a Microsoft Certificate Authority to issue Smart Card certificates on behalf of users.
  • The certificates are stored on the FAS server.
  • The VDA requests the user’s certificate from FAS so it can complete the VDA Windows logon process.

FAS can be used for any authentication scenario where the user’s password is not provided.


  • Microsoft Certification Authority (CA) in Enterprise mode.
    • When configuring FAS you tell it what CA server to use.
    • You can build a new CA server just for FAS.
    • You can install CA on the FAS server.
  • Domain Controllers must have Domain Controller certificates. See CTX218941 FAS – Request not supported.
    • The certificates on the Domain Controllers must support smart card authentication. Certificates created using the Microsoft CA certificate template named Domain Controller Authentication supports smart cards. Manually created Domain Controller certificates might not work. See CTX270737 for the Domain Controller certificate requirements.

  • Citrix Virtual Apps and Desktops or XenApp/XenDesktop 7.9 or newer
  • StoreFront 3.6 or newer
  • NetScaler Gateway or Citrix Gateway.
    • StoreFront 3.9 and newer also support SAML authentication natively without Citrix ADC.
  • SAML is web-based authentication and thus requires a browser.
    • SAML authentication might work in the newest builds of Workspace app and Citrix ADC 12.1 (and newer) if you configure nFactor. However, nFactor (Authentication Virtual Server aka AAA) requires ADC Advanced Edition or ADC Premium Edition.

Configuration overview:

  1. Build one or more FAS servers.
    • For security reasons, FAS should be its own server and not installed on a Delivery Controller.
  2. Upload Certificate Templates to Active Directory and configure a CA server to issue certificates using the new templates.
    • One of the Certificate Templates is for Smart Card logon to Citrix VDA.
    • The other two Certificate Templates are to authorize FAS as a certificate registration authority.
    • The registration authority certificate does not renew automatically so be prepared to renew it manually every two years. For details, see Renew registration authority certificates at Citrix Docs.
  3. Install the Citrix FAS group policy .admx template into PolicyDefinitions.
  4. Create a group policy object (GPO) and configure the GPO with the addresses of the FAS servers.
    • The GPO must apply to FAS servers, StoreFront servers, and every VDA. It does not need to apply to Delivery Controllers, but there’s no harm in applying it to the Delivery Controllers.
  5. Authorize FAS to request certificates from a Microsoft CA server.
  6. Configure FAS Rules to permit StoreFront servers to request FAS to generate certificates for users and permit VDA machines to retrieve the certificates from FAS.
  7. Configure StoreFront to use FAS for VDA single sign-on.


From Citrix CTX225721 Federated Authentication Service High Availability and Scalability: you can build multiple FAS servers. Enter all FAS server FQDNs in the Group Policy. StoreFront will then use a hashing algorithm on the username to select a FAS server.

  1. If you have less than 10K users, one FAS server with 4 vCPUs (2.5Ghz) should be sufficient.
  2. You will require a minimum of one FAS server (with 8 vCPUs) per 25,000 users if all users expect to be able to logon under cold start conditions (no keys or certificates cached) within 60-90 minutes.
  3. A single FAS server can handle greater than 50K users under warm start conditions (keys and certificates pre-cached)
  4. One reserve FAS server for every four FAS servers for “Day 1” cold start (Users get new keys/certificates) & disaster recovery scenarios
  5. Split the FAS Certificate Authority from Certificate Authority that performs other tasks for both security and scalability purposes.

Michael Shuster explains the Group Policy configuration for FAS in multiple datacenters at HowTo: Active-Active Multi-Datacenter Citrix FAS.

Also see the Citrix Federated Authentication Service Scalability whitepaper.

Federated Authentication Service Versions

The most recent Federated Authentication Service Current Release is version 2006.

For LTSR versions of Citrix Virtual Apps and Desktops (CVAD) and StoreFront, install the version of FAS that comes with the CVAD LTSR version.

Install/Upgrade Federated Authentication Service

The service should be installed on a secure, standalone server that does not have any other Citrix components installed. The FAS server stores user authentication keys, and thus security is paramount.

  1. On the Federated Authentication Service server, go to the Citrix Virtual Apps and Desktops, or XenDesktop 7.9, or newer ISO, and run AutoSelect.exe.
  2. In Citrix Virtual Apps and Desktops, or XenDesktop 7.13 and newer, in the lower half of the window, click Federated Authentication Service.

    1. Or in XenDesktop 7.9 through 7.12, on the bottom right, click Federated Authentication Service.
  3. In the Licensing Agreement page, select I have read, understand, and accept the terms of the license agreement, and click Next.
  4. In the Core Components page, click Next.
  5. In the Firewall page, click Next.
  6. In the Summary page, click Install.
  7. The installer might require a restart. Let it restart, and login again.

    1. After logging in, if you see a Locate ‘Citrix Virtual Apps and Desktops 7’ installation media window, don’t click anything in the window.
    2. Go to the Citrix_Virtual_Apps_and_Desktops_7_2006.iso file and mount it.
    3. Go back to the Locate ‘Citrix Virtual Apps and Desktops 7’ installation media window.
    4. On the left, expand This PC, and click the DVD Drive.
    5. Click Select Folder.
    6. Installation will resume.
  8. In the Finish Installation page, click Finish.

FAS Group Policy

Configure a Group Policy that instructs StoreFront servers and VDAs on how to locate the FAS servers.

  1. On the Federated Authentication Service server, browse to C:\Program Files\Citrix\Federated Authentication Service\PolicyDefinitions. Copy the files and folder.
  2. Go to \\\SYSVOL\\Policies\PolicyDefinitions and paste the files and folder. If PolicyDefinitions doesn’t exist in SYSVOL, then copy them to C:\Windows\PolicyDefinitions instead.
  3. Edit a GPO that applies to all StoreFront servers, all Federated Authentication Service servers, and all VDAs.
  4. Navigate to Computer Configuration > Policies > Administrative Templates > Citrix Components > Authentication.
  5. Edit the setting Federated Authentication Service.
  6. Enable the setting and click Show.
  7. Enter the FQDN of the Federated Authentication Service server. You can add more than one Federated Authentication Service server.
  8. Click OK twice.
  9. On the Federated Authentication Service server, and VDAs, run gpupdate.
  10. On the FAS server, and on VDAs, look in the registry at HKLM\Software\Policies\Citrix\Authentication\UserCredentialService\Addresses. Make sure this key and value exists. The number one cause why FAS doesn’t work is because this key is missing from VDAs. The FAS Address GPO must apply to VDAs too.
  11. If the VDAs and Users are in different domains, see CTX220497 Users from one AD Domain not able to get FAS user certificates from another trusted domain: add the Citrix StoreFront Servers, FAS server and VDA servers to the Windows Authorization Access Group in the users’ domain.
  12. By default, the VDAs will verify the certificates aren’t revoked by downloading the Certificate Revocation List. You can disable CRL checking by configuring HKEY_Local_Machine\System\CurrentControlSet\Control\LSA\Kerberos\Parameters\UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors (DWORD) = 1 as detailed at CTX217150 Unable to login using the FAS Authentication – Getting Stuck on Please wait for local session manager.

FAS 1909+ Configuration

If you prefer to script the FAS configuration, then see Citrix Blog Post Automating the Citrix Federated Authentication Service with PowerShell.

FAS 1909 and newer have a different configuration GUI than FAS 1906 and older.

Here are 1909 and newer GUI configuration instructions:

  1. Log into the FAS server as a Domain Administrator or Enterprise Administrator that can upload certificate templates to Active Directory.
  2. On the FAS server, from the Start Menu, run Citrix Federated Authentication Service as administrator. Make sure you run it elevated.
  3. In the tab named Initial Setup, in the row named Deploy certificate templates, click Deploy.
  4. Click OK to deploy the templates to Active Directory.
  5. In the row named Set up a certificate authority, click Publish.
  6. Select an Enterprise Certificate Authority that will be issue the FAS certificates and click OK.
  7. In the row named Authorize this service, click Authorize.
  8. Select a CA that will issue this FAS server a Registration Authority certificate. Later, you will need to open the Certificate Authority console on the chosen server. Click OK.
  9. The row named Authorize this service has a new icon indicating it is waiting on the registration authority certificate to be approved.
  10. Open the Certification Authority console and point it to the CA server. In the Pending Requests node, find the certificate request for the FAS server and Issue it.
  11. Back in the FAS Administration Console, on the top right, click Refresh.
  12. The row named Authorize this service should now have a green check mark.
  13. In the row named Create a rule, click Create.
  14. In the Rule name page, leave it set to Create the default rule and click Next.
  15. In the Template page, click Next.
  16. In the Certificate authority page, select the CA that has the issuing templates configured and click Next. You can select more than one CA server.
  17. In the In-session use page, click Next.
  18. In the Access control page, click the link to Manage StoreFront access permissions.
  19. In the Permission for StoreFront Servers page, add your StoreFront servers and give them the permission Assert Identity. Click OK.
  20. Back in the Create Rule wizard, click Next.
  21. In the Restrictions page, you can optionally reduce the VDAs that are authorized to use FAS. Click Next.
  22. In the Summary page, click Create.
  23. The FAS Registration Authority certificate expires in two years. You’ll need to manually renew the FAS Registration Authority certificate before it expires. Put a notification on your calendar. For details, see Renew registration authority certificates at Citrix Docs.
    • In the row named Authorize this service, you can click the link for authorization certificate to see when it expires. Before expiration, use the Reauthorize button on the right of the same row.
  24. Jump ahead to Certificate Templates.

FAS 1906 and older Configuration

If you prefer to script the FAS configuration, then see Citrix Blog Post Automating the Citrix Federated Authentication Service with PowerShell.

Here are GUI configuration instructions for FAS 1906 and older:

  1. Log into the FAS server as a Domain Administrator or Enterprise Administrator that can upload certificate templates to Active Directory.
  2. On the FAS server, from the Start Menu, run Citrix Federated Authentication Service as administrator. Make sure you run it elevated.
  3. The Federated Authentication Service FQDN should already be in the list (from group policy). Click OK.
  4. In Step 1: Deploy certificate templates, click Start.
  5. Click OK to add certificate templates to Active Directory. Sufficient permission is required.
  6. In Step 2: Setup Certificate Authority, click Start.
  7. Select a Certificate Authority to issue the certificates, and click Ok.
  8. In Step 3: Authorize this Service, click Start.

    • Step 3 automatically submits an online request for the Registration Authority certificate to the CA and stores the non-exportable private key in the standard Microsoft Enhanced RSA and AES Cryptographic Provider.
    • Alternatively, you can submit the certificate request manually, and store the private key in TPM or HSM as detailed at Federated Authentication Service private key protection at Citrix Docs. When running New-FasAuthorizationCertificateRequest, the -UseTPM switch is optional.
  9. Select the issuing Certificate Authority, and click OK.

    • Authorize this Service only lets you select one Certificate Authority. If you want to load balance certificate requests against multiple Certificate Authorities, then see Set up multiple CA servers for use in FAS at Citrix Docs.
      Set-FasCertificateDefinition -Name default_Definition -CertificateAuthorities @("ca1.corp.local\CA1.corp.local", "ca2.corp.local\ca2.corp.local")
  10. Step 3 is now yellow.
  11. On the Microsoft CA server, go to the Certification Authority Console > Pending Requests. Find the pending request, and Issue it.
  12. In a minute or two, Federated Authentication Service will recognize the issued certificate and Step 3 will turn green.
    • If it doesn’t turn green, then there might be a private hotfix. See David Lloyd at Citrix Discussions.
    • Another user at XenDesktop 7.9 FAS at Citrix Discussions had to bump up the Validity Period of the Citrix_RegistrationAuthority_ManualAuthorization template to 2 days before it would authorize.
  13. After FAS authorization with the CA, in the FAS Configuration tool, switch to the User Rules tab.
  14. Use the Certificate Authority drop-down to select the issuing Certificate Authority.
  15. Use the Certificate Template drop-down to select the Citrix_SmartcardLogon template.
  16. Click Edit next to List of StoreFront servers that can use this rule.
  17. Remove Domain Computers from the top half, and instead add your StoreFront servers. You could add an Active Directory security group instead of individual StoreFront servers.
  18. On the bottom half, make sure Assert Identity is Allowed. Click OK.
  19. By default, all users and all VDAs are allowed. You can click the other two Edit boxes to change this.
  20. When done, click Apply.
  21. Click OK when you see Rule updated successfully.
  22. The FAS Registration Authority certificate expires in two years. You’ll need to manually renew the FAS Registration Authority certificate before it expires. Put a notification on your calendar. For details, see Renew registration authority certificates at Citrix Docs.
    • To see the expiration date of the authorization certificate, run the following PowerShell command after running add-pssnapin Citrix.Authentication.FederatedAuthenticationService.V1:
      Get-FasAuthorizationCertificate -FullCertInfo -address myFASServer

Certificate Templates

The deployed FAS Certificate Templates have Autoenroll enabled. You might want to disable that.

  1. Open the Certificate Templates console. One option is to open the Certification Authority console, right-click Certificate Templates, and then click Manage.
  2. There should be three templates with names starting with Citrix_. Open the properties on each one.
  3. On the Security tab, highlight each group assigned to the template.
  4. On the bottom half, uncheck the box in the Autoenroll row but leave Enroll checked. Perform this step for every group assigned to this template. Then click OK.
  5. Repeat disabling autoenroll for the other two templates.

The Registration Authority certificate templates are permitted to all Domain Computers. You might want to change that.

  1. Open the Properties of one of the Citrix_RegistrationAuthority certificate templates.
  2. On the Security tab, remove Domain Computers.
  3. Add your FAS servers and enable the Enroll permission.
  4. Repeat for the other Registration Authority certificate.

To further restrict who can be issued certificates, go to your Certificate Authority’s Properties and use the Enrollment Agents tab to restrict enrollment agents.

StoreFront Configuration

Once FAS is enabled on a StoreFront store, it applies to all connections through that store, including password-based authentications. One option is to create a new store just for FAS users.

  1. Check the registry at at HKLM\Software\Policies\Citrix\Authentication\UserCredentialService\Addresses to confirm that the group policy with FAS addresses has been applied to the StoreFront servers.
  2. On the StoreFront 3.6 or newer server, run the following elevated PowerShell command:
    & "$Env:PROGRAMFILES\Citrix\Receiver StoreFront\Scripts\ImportModules.ps1"
  3. Run the following commands. Adjust the store name as required.
    $StoreVirtualPath = "/Citrix/Store"
    $store = Get-STFStoreService -VirtualPath $StoreVirtualPath
    $auth = Get-STFAuthenticationService -StoreService $store
    Set-STFClaimsFactoryNames -AuthenticationService $auth -ClaimsFactoryName "FASClaimsFactory"
    Set-STFStoreLaunchOptions -StoreService $store -VdaLogonDataProvider "FASLogonDataProvider"
  4. If you have multiple StoreFront servers, Propagate Changes.
  5. On a Citrix Delivery Controller, run the following commands:
    asnp citrix.*
    Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $true

If you ever need to disable FAS on StoreFront, run the following commands. Adjust the store name as required.

$StoreVirtualPath = "/Citrix/Store"
$store = Get-STFStoreService -VirtualPath $StoreVirtualPath
$auth = Get-STFAuthenticationService -StoreService $store
Set-STFClaimsFactoryNames -AuthenticationService $auth -ClaimsFactoryName "standardClaimsFactory"
Set-STFStoreLaunchOptions -StoreService $store -VdaLogonDataProvider ""

SAML Configuration


SAML flows like this:

  1. (Optional) User goes to the web application aka Service Provider (e.g. Citrix Gateway).
    • The Service Provider (SP) redirects the user’s browser to the Identity Provider’s (IdP) SAML Single Sign-on (SSO) URL and includes an authentication request in the Redirect. The IdP SSO URL might be different for each Service Provider.
    • The Authentication Request from the Service Provider includes a Service Provider Entity ID. The IdP matches the SP Entity ID with an entry in its database so it knows which SP is making the authentication request. The Entity ID must match on both the SP and the IdP.
    • If the Authentication Request is signed by the Service Provider’s certificate private key, then the IdP will verify the signature using the Service Provider’s certificate public key. In this scenario, the Service Provider’s certificate (without private key) must be loaded into the IdP.
  2. The user authenticates to the IdP, typically using Multi-factor Authentication.
    • If the user was redirected from the SP, then the IdP already knows which SP to authenticate with.
    • If the user went directly to the IdP, then the user typically needs to click an icon representing the web application (Service Provider).
  3. IdP generates a SAML Assertion containing the user’s userPrincipalName or email address.
    • Configure the IdP to include the user’s UPN or email address in the NameID field of the assertion. SAMAccountName won’t work with Citrix FAS.
    • The SAML Assertion also includes the Service Provider’s Entity ID. The ID in the Assertion must match the ID configured on the SP.
    • IdP signs the SAML Assertion using an IdP certificate private key.
    • IdP has a configuration for the SP that includes a SAML Assertion Consumer Service (ACS) URL. IdP redirects the user’s browser to the SP’s ACS URL and POST’s the SAML Assertion.
      • The ACS URL on Citrix Gateway ends in /cgi/samlauth
  4. SP uses the IdP certificate’s public key to verify the signature on the SAML Assertion.
    • The IdP’s certificate (without private key) is installed on the Citrix ADC so it can verify the Assertion’s signature.
  5. SP extracts the user’s userPrincipalName from the Assertion and uses the UPN for Single Sign-on to StoreFront and the rest of the Citrix components.
    • Note that the SP does not have access to the user’s password and thus that’s why we need Citrix FAS to generate certificates for each user.

Configure the SAML IdP

You typically start the configuration on the Identity Provider (IdP). Every IdP has unique instructions. Search Google for your IdP and NetScaler and you might find a IdP-specific guide. After IdP configuration, you download the IdP’s certificate and copy the IdP’s SSO URL so you can configure them on Citrix ADC.

Azure AD as SAML IdP

  1. In Azure Portal, go to Azure Active Directory.
  2. On the left, click Enterprise applications.
  3. In the new blade that appears, on the All applications page, on the right, click New application.
  4. In the All Categories view of the gallery, on the top right, click Non-gallery application.
  5. Give the application a descriptive name. Azure AD shows this name in the myapps portal. Click Add.
  6. After the application is created, on the left, in the Manage section, click Single sign-on.
  7. On the right, click the big button for SAML.
  8. In section 1 labelled Basic SAML Configuration, click the pencil icon.
  9. In the Identifier (Entity ID) field, enter an identifier in URI format. Usually it matches the FQDN of the Citrix Gateway and can be entered in format. You’ll later need to specify the exact same Identifier on the Citrix ADC.
  10. In the Reply URL (Assertion Consumer Service URL) field, enter a URL similar to The path must be /cgi/samlauth. The scheme should be https. And the FQDN is your Citrix Gateway’s FQDN.
  11. Click Save. Then you might have to click the x on the top right to make it go away.
  12. In section 2 labelled User Attributes & Claims, notice that it defaults to sending the userprincipalname. You can click the pencil to change the attribute used for the Name identifier value. Whatever value you send will need to match the userPrincipalNames of local Active Directory accounts (aka shadow accounts).

  13. In section 3 labelled SAML Signing Certificate, click the Download link in the Certificate (Base64) line.
  14. Citrix ADC 12.1 and newer support SAML metadata so feel free to copy the App Federation Metadata Url field.
  15. If you are running NetScaler 12.0 or older, then you will need to copy the Login URL field from section 4 labelled Set up
  16. On the left, under Manage, click Users and groups.
  17. Use the normal process to assign Azure AD users and groups to this application. Click Assign.
  18. Jump to the section named Citrix ADC SAML Configuration.


The screenshots in this section use ADFS as an example IdP. Your IdP will be different.

  1. In your SAML IdP, create a Relying Party Trust (aka service provider trust) or new Application.
  2. Since we’re configuring the IdP before we configure Citrix ADC and thus don’t have access to the SP metadata, select the option to Enter data about the relying party manually.
  3. For the Assertion Consumer Service URL (aka relying party service URL), enter the URL to your Citrix Gateway with /cgi/samlauth appended to the end (e.g.
  4. Enter a Relying party trust identifier in URI format. You must specify the same identifier (Issuer Name) on the Citrix ADC as detailed in the next section.
  5. Configure the SAML IdP to send email address or User-Principal-name as Name ID. Citrix ADC receives the Name ID and sends it to StoreFront. StoreFront will look in Active Directory for an account with userPrincipalName that matches the Name ID.
  6. Citrix ADC will sign the authentication requests it sends to the IdP. On the Citrix ADC, you will soon configure the Citrix ADC SAML SP signing certificate with private key that signs the authentication requests that are sent to the IdP. In your SAML IdP, import the same Citrix ADC SAML SP signing certificate but without the private key.
  7. Copy the SAML authentication URL (aka Token Issuance URL) from your SAML IdP. You’ll need to enter this same URL on your Citrix ADC later.
  8. Export the IdP Token-signing certificate from your SAML IdP. The IdP could be ADFS, Okta, Ping, etc.

Citrix ADC SAML Configuration

  1. Instructions for Citrix ADC 13.0, Citrix ADC 12.1, NetScaler 12.0, and NetScaler 11.1 are essentially the same.
    • Citrix ADC 12.1 and newer support SAML Metadata while older versions of NetScaler do not support SAML Metadata.
    • NetScaler 11 is very similar, except Certificates are in a different place in the NetScaler menu tree.
  2. Workspace app support – If you bind a SAML Authentication Policy directly to the Gateway Virtual Server (no nFactor/AAA), then Workspace app and Gateway VPN plug-in won’t work. To support SAML with Workspace app and Gateway VPN plug-in, configure nFactor (Authentication Virtual Server with Authentication Profile) instead of directly on the Gateway Virtual Server. Note: nFactor authentication is only available with ADC Advanced Edition and ADC Premium Edition.
  3. On Citrix ADC, import the IdP SAML token-signing certificate (without private key) under Traffic Management > SSL > Certificates > CA Certificates. Citrix ADC uses this certificate to verify the signature of the SAML assertion from the IdP.
    Note: when you later create the SAML Action on Citrix ADC, there’s a place to add a SAML certificate. Unfortunately, the SAML Action is trying to import the wrong type of certificate since it wants the private key, which you don’t have access to. If you import the certificate here under CA Certificates, then there’s no prompt for private key.

  4. SAML IdP certificates are shown in the Unknown Certificates node.
  5. If you want ADC to sign the authentication requests it sends to the IdP, then do the following:
    1. Move up two nodes to Server Certificates and Import or create a SP SAML signing certificate with private key. This can be the same certificate used on Citrix Gateway. Or a more common practice is to create a self-signed certificate.

    2. You’ll also need to import this SAML SP signing certificate (without private key) to your SAML IdP so it can verify the SAML authentication request signature from the Citrix ADC.
  6. Go to Citrix Gateway > Policies > Authentication > SAML. The quickest way to get here is to enter SAML in the search box on top of the menu.
  7. On the right, switch to the tab labelled Servers, and click Add.
  8. In the Name field, give the SAML Action a name that indicates the IdP’s name.
  9. If your Citrix ADC is 12.1 or newer, then get the SAML Metadata URL (or file) from the IdP.

    1. In the SAML Server on Citrix ADC, in the SAML IDP Metadata URL field, paste in the URL.
    2. Scroll down and click Create.
    3. Edit the SAML Server again.
    4. If you uncheck the box next to Import Metadata, you can see the fields that it filled in for you. Unfortunately, other fields must be configured manually as detailed soon.
  10. Configure the SAML Server based on the data provided by your IdP. If you imported Metadata, then some of the fields might already be populated.
    1. For IDP Certificate Name, select the SAML IdP’s certificate that was exported from the SAML IdP and imported to Citrix ADC. Citrix ADC will use this IdP certificate to verify SAML assertions from the IdP.
      Note: the Add button here does not work correctly. Instead, if you need to import the SAML IDP certificate, then do it at the CA Certificates node as detailed earlier in this section.
    2. For Redirect URL, enter the URL to the SAML IdP’s authentication page. Citrix Gateway will redirect users to this URL. For ADFS, enter your ADFS URL appended with /adfs/ls (e.g. For other IdP’s, get the URL from your IdP.
    3. For User Field, enter the name of the SAML Claim from the IdP that contains the value that matches the userPrincipalName of your local Active Directory users (aka shadow accounts). This defaults to the NameID field, but you might have to use a different claim, like emailaddress.
    4. Optionally, for Signing Certificate Name, select the SAML SP certificate (with private key) that Citrix ADC will use to sign authentication requests to the IdP. This same certificate (without private key) must be imported to the IdP, so the IdP can verify the authentication request signature. This field usually isn’t needed by most IdPs.
    5. In the Issuer Name field, enter the ID that the SAML IdP is expecting for the Relying Party.  This Issuer Name must match the name you configured on the IdP’s Relying Party (Service Provider) Trust. Azure AD calls this the Identifier or Entity ID.
    6. Scroll down and click More.
    7. Citrix ADC defaults to SHA1. You might have to change the Signature Algorithm and Digest Method to SHA256.
    8. Review the other settings as needed by your IdP. Click Create when done.
  11. On the right, switch to the tab labelled Policies, and click Add.

    1. Give the policy a name, select the SAML Server, and enter ns_true for the expression. Click Create.
  12. Create Citrix Gateway Session Polices if you haven’t already.
  13. Edit your Session Policy/Profile.

    1. On the tab labelled Published Applications, make sure Single Sign-on Domain is not configured. Repeat this for your other Session Policies/Profiles.
  14. Create a Citrix Gateway Virtual Server if you haven’t already.
  15. Edit your Citrix Gateway Virtual Server.
  16. Scroll down to the Basic Authentication section, and add a policy by clicking the plus icon.
  17. Change the type to SAML and click Continue.
  18. Select your SAML policy and bind it. This is the only authentication policy you need. You can remove all other authentication policies.
  19. Next step: configure StoreFront for SAML Citrix Gateway.

Configure StoreFront for SAML Citrix Gateway

  1. In StoreFront 3.6 or newer, in the StoreFront Console, go to Stores, right-click the store, and click Manage Authentication Methods.
  2. Make sure Pass-through from NetScaler Gateway is selected.
  3. Click the bottom gear icon on the right, and click Configure Delegated Authentication.
  4. Check the box next to Fully delegate credential validation to NetScaler Gateway, and click OK twice.
  5. In StoreFront, add a NetScaler Gateway object that matches the FQDN of the Citrix Gateway Virtual Server that has SAML enabled.
  6. On the Authentication Settings page, make sure you configure a Callback URL. It won’t work without it.
  7. Then assign (Configure Remote Access Settings) the Gateway to your Store.

  8. Next step: create Active Directory Shadow Accounts

Native SAML on StoreFront without Citrix ADC

StoreFront 3.9 and newer have native support for SAML Authentication without Citrix ADC. Notes:

  • SAML overrides Explicit and Pass-through authentication.
  • SAML in StoreFront without Citrix ADC seems to work in Workspace app and Receiver Self-Service for Windows.

For an example configuration using StoreFront PowerShell commands and SAML metadata, see CTX232042 Configure StoreFront with OKTA.

To configure native SAML in StoreFront 3.9 or newer:

  1. Export the signing certificate from your SAML IdP. The IdP could be ADFS, Okta, Ping Identity, etc.
  2. In StoreFront 3.9 or newer console, right-click a Store, and click Manage Authentication Methods.
  3. Check the box next to SAML Authentication. If you don’t see this option (because you upgraded from an older version), click the Advanced button on the bottom of the window, and install the authentication method.
  4. On the right, click the gear icon for SAML, and click Identity Provider.
  5. Change the SAML Binding to the method your IdP expects.
  6. Enter the IdP token issuance endpoint URL. For example, in ADFS, the path is /adfs/ls.
  7.  Click Import.
  8. Browse to the signing certificate exported from your IdP, and click Open.
  9. Then click OK to close the Identity Provider window.
  10. On the right, in the SAML Authentication row, click the gear icon, and then click Service Provider.
  11. Click the first Browse button.
  12. Give the Signing certificate a name, and save it somewhere.
  13. Click the second Browse button.
  14. Give the Encryption certificate a name, and save it somewhere.
  15. Copy the Service Provider Identifier. Or you can change it to your desired value. Then click OK.
  16. In your IdP (e.g. ADFS), create a Relying Party Trust.
  17. Import the Encryption certificate that you exported from StoreFront.
  18. Enable SAML 2.0.
  19. For the Assertion Consumer Service (ACS) path, enter something similar to The hostname portion of the URL is equivalent to your StoreFront Base URL. /Citrix/StoreAuth matches your Store name with Auth on the end. The rest of the path must be /SamlForms/AssertionConsumerService. You can get this ACS value by looking in the SAML metadata at the bottom of https://<storefront host>/Citrix/StoreAuth/SamlForms/ServiceProvider/Metadata.

  20. For the Relying party trust identifier, enter the identifier you copied from the Service Provider window in StoreFront.
  21. Configure the Claim Rules to send the user’s email address or userPrincipalName as Name ID.
  22. Edit the Relying Party Trust. Import the Signing certificate that you exported from StoreFront.

  23. Create Active Directory Shadow Accounts. Federated users must be userPrincipalName mapped to local Active Directory accounts.
  24. If you point your browser to https://<storefront-host>/Citrix/<storename>Auth/SamlTest, it should perform a SAML Login, and then show you the assertion that was returned from the IdP. See Citrix CTX220639 How to configure SAML Authentication-Test Configuration.
  25. See Citrix CTX220682 Storefront SAML Troubleshooting Guide for event logs, SAML Metadata, Active Directory account mapping, Trust XML, etc.
  26. When you go to your Receiver for Web page, it should automatically redirect you to your IdP. After authentication, it should redirect you back to StoreFront and show you your icons.
  27. ADFS also works in Receiver 4.6 and newer, and Workspace app.
  28. When you logoff, it won’t let you log on again unless you close your browser and reopen it.

  29. To fix this problem, see CTP Sacha Thomet StoreFront – Allow relogin without browser close. Edit the file C:\inetpub\wwwroot\Citrix\StoreWeb\custom\script.js, and add the following line:
    CTXS.allowReloginWithoutBrowserClose = true

  30. Now when you logoff, you’re given an option to log on again.

Active Directory Shadow Accounts

To login to Windows (Citrix VDA), every user must have an Active Directory account in a domain trusted by the VDA. For Federated Users, you typically need to create shadow accounts for each Federated user in your local Active Directory. These Shadow accounts need a userPrincipalName that matches the SAML attribute (usually email address) provided by the SAML IdP.

If the email address provided by the SAML IdP does not match the UPN suffix for your domain, then do the following:

  1. Open Active Directory Domains and Trust.
  2. Right-click the top left node (not a domain node), and click Properties.
  3. In the UPN Suffixes tab, add a UPN suffix that matches the email suffix provided by the SAML IdP.
  4. When creating a shadow account in your Active Directory, the new UPN suffix is available in the drop-down list. Note that the pre-Windows 2000 logon name can’t conflict with any other user in the domain.
  5. The password for these Shadow accounts can be any random complex password since the Federated users never need the Shadow account’s password.
  6. If the shadow account is already created, edit the account, and on the Account tab, use the drop-down to select the new UPN suffix.
  7. Create a shadow account for every federated user. There are third party Identity Management tools that can automate this. Or get an export from the IdP and use PowerShell scripting to create the acccounts.

Verify FAS

When FAS is enabled on StoreFront, every user that logs into StoreFront (local or remote) causes a user certificate to be created on the FAS server. You can see these user certificates by running the following PowerShell commands:

Add-PSSnapin Citrix.Authentication.FederatedAuthenticationService.V1
Get-FasUserCertificate -address fas01.corp.local

Citrix uses these certificates to logon to the VDA as the user. No password needed.

516 thoughts on “Citrix Federated Authentication Service (SAML) 2006”

  1. With Citrix Federated Authentication Service (SAML) I can permit to external users (another domain) open automatically your desktop?without open browser….at windows logon? thanks

    1. SAML is a web-based authentication method. The newest versions of Workspace app and Gateway support SAML without needing to open a browser.

      1. Thanks for the reply! Do you know some link with this information? when you say “newest versions of Workspace app and Gateway” it’s mean xendesktop 1808? Netscaler VPX 12?

          1. Thanks !
            So.. I need only to configure SAML with the latest version adc 12.1 and 1809 to permit to users launch desktop automatically… Cool !
            With email discovery.
            I’ll go to read your web documents

          2. Workspace app won’t launch icons automatically. One option is to create a shortcut to SelfService.exe /qlaunch Mydesktop and put the shortcut in the Startup folder. It should then prompt the user for SAML credentials.

          3. Thanks a lot Carl you are the best
            I need to install and configure 1809 and adm 12.1 and later test the auto launch

      1. Carl, can you elaborate on that? I am seeing an issue with PingFederate as a SAML IdP trying to post the SAML assertion response back to the SAML SP (Storefront), but getting stuck at the SAML ACS URL, with “Completing authentication” showing on the screen.

  2. awesome Carl!
    Maybe you can help me on my particular issue – I am a Netscaler guy but not so much a Storefront/Xenapp guy.

    We have a Access setup with 2f auth (first user/pass – second radius), and we need to get radius removed – So I configured SAML instead on our test and enabled the Trust for delegation on the Netscaler Pass through auth. Logon to SF works fine but when starting an ica session I need to authenticate.
    I learned that SF does not have a password and so it cant authenticate towards a backend server – only solutions I found is FAS (which i am no keen to implement – you remember I am a Netscaler guy) or transporting the password in the claim – which doesnt sound right at all…Is there any other way?

    One more:
    If I do SAML directly on the SF (without NS at all) – I guess SSO wont work either when launching the ica session, right? Again the Storefront doesnt have a PW, or is it done different when using SAML on the SF? So do I always need FAS if I want single sign on to the ica session when using SAML no matter where I do the SAML auth (NS or SF)?


    1. Windows supports two methods of authentication – password, or certificate. If no password, then certificate is the only other option. FAS generates certificates for users and uses the certificates for authentication. Every major broker does SAML this way.

  3. If shadow accounts were in a different forest (with limited CFT), would you recommend the CA be in the User or DDC\VDA forest?

    Thank you,

    1. The Citrix_SmartcardLogon template builds the Subject Name from AD information. I assume the CA needs to able to get that user info from AD.

    1. I don’t see why not. StoreFront has some native SAML functionality, but I find NetScaler as SAML SP to be much more capable.

  4. Hello Carl.

    This page is really helpful in setting up Citrix farm with FAS, very detailed. Thanks!

    When we use our IdP and Storefront as SP, we are getting certificate validation error. I have installed all signing certificates in both SP and IDP.

    “The security token failed validation.
    System.IdentityModel.Tokens.EncryptedTokenDecryptionFailedException, System.IdentityModel, Version=, Culture=neutral, PublicKeyToken=b77a5c561934e089
    ID4022: The key needed to decrypt the encrypted security token could not be resolved. Ensure that the SecurityTokenResolver is populated with the required key.
    at System.IdentityModel.Tokens.Saml2SecurityTokenHandler.CreatePlaintextReaderFromEncryptedData(XmlDictionaryReader reader, SecurityTokenResolver serviceTokenResolver, SecurityTokenSerializer keyInfoSerializer, Collection`1 clauses, EncryptingCredentials& encryptingCredentials)
    at System.IdentityModel.Tokens.Saml2SecurityTokenHandler.ReadAssertion(XmlReader reader)
    at System.IdentityModel.Tokens.Saml2SecurityTokenHandler.ReadToken(XmlReader reader)
    at System.IdentityModel.Tokens.SecurityTokenHandlerCollection.ReadToken(XmlReader reader)
    at Citrix.DeliveryServices.Authentication.Saml20.SamlExtensions.GetSecurityToken(String assertion, SecurityTokenHandlerCollection securityTokenHandlers)
    at Citrix.DeliveryServices.Authentication.Saml20.SamlManager.ProcessSamlResponse(String base64EncodedResponse, Boolean compressed)”

    Please help!

    1. You can decode the SAML Assertion to verify that the certificate used to sign the assertion matches the one you installed on StoreFront.

      Otherwise, I find configuring SAML on NetScaler to be much more capable than configuring it natively on StoreFront.

        1. Hello Carl,

          We are still investigating SAML flow with Citrix Farm along with our IdP.

          Is it possible to perform Kerberos constrained delegation to storefront 3.x server?

          Thanks in advance.

          1. Delivery Controllers and VDAs do not support Kerberos delegation. 6.5 does, but 7.x does not.

            StoreFront can send username without password to Delivery Controller if Trust XML is enabled in the farm. However, once Receiver connects to VDA, StoreFront and Delivery Controller don’t have a password to give the VDA, and thus you need FAS to perform SSON to the VDA.

          2. Thanks Carl for the quick response.

            We have setup FAS environment to perform SSON from Storefront to Delivery controller to VDA.

            We are looking at performing constrained delegation from our IdP to Storefront since user logs without password . Is it possible to enable constrained delegation to Storefront?

            User logs in to our IdP with certificate or token and should be able to perform SSON to Storefront and to VDA through Delivery controller using FAS

  5. Hello Carl
    I have completed all the steps but I can not complete your request when I login through the Citrix web site.Storefront even ID:Citrix Receiver For Web

    A CitrixAGBasic Login request has failed.
    Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticatorException, Citrix.DeliveryServicesClients.Authentication, Version=, Culture=neutral, PublicKeyToken=null
    Authenticate encountered an exception.
    at Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticator.Authenticate(HttpRequestBase clientRequest, Boolean& passwordSupplied)
    at Citrix.Web.AuthControllers.Controllers.GatewayAuthController.Login()

    System.Net.WebException, System, Version=, Culture=neutral, PublicKeyToken=b77a5c561934e089
    The remote server returned an error: (403) Forbidden.
    ExceptionStatus: ProtocolError
    ResponseStatus: Forbidden
    at System.Net.HttpWebRequest.GetResponse()
    at Citrix.DeliveryServicesClients.Utilities.HttpHelpers.ReceiveResponse(HttpWebRequest req)
    at Citrix.DeliveryServicesClients.Authentication.TokenIssuingClient.RequestToken(String url, RequestToken requestToken, String primaryToken, String languages, CookieContainer cookieContainer, IEnumerable`1 acceptedResponseTypes, IDictionary`2 additionalHeaders)
    at Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticator.Authenticate(HttpRequestBase clientRequest, Boolean& passwordSupplied)

    Another ID:Citrix Authentication Service
    CitrixAGBasic single sign-on failed because the credentials failed verification with reason: Failed.

    The credentials supplied were;
    user: selahattin.yildirim

    ID : Citrix Domain Service
    The following error occurred during an authentication attempt for user: xx.local\selahattin.yildirim with realm:
    System.ArgumentOutOfRangeException, mscorlib, Version=, Culture=neutral, PublicKeyToken=b77a5c561934e089
    Specified argument was out of the range of valid values.
    at Citrix.DeliveryServices.Authentication.Kerberos.Native.Authenticator.Authenticate(String userPrincipalName, String clientRealm)
    at Citrix.DeliveryServices.Authentication.Kerberos.KerberosAuthenticator.Authenticate(String userPrincipalName, String clientRealm)
    at Citrix.DeliveryServices.Kerberos.Delegated.Server.DelegatedKerberosAuthenticator.Authenticate(String userPrincipalName, String clientRealm)

    I would appreciate your help

    Best Regards

    1. It looks like NetScaler is not sending the userPrincipalName to StoreFront. Or you’re not getting the userPrincipalName (or email address) from your SAML iDP.

  6. Hello Carl,

    We would like use an Enterprise CA that is hosted in our trusted domain with two-way relashionship, but the FAS server cannot hit the CA using its console or powershell Get-FASMsCertificateAuthority.

    On our local domain, we have Storefront, FAS, Controllers and VDAs.
    On the trusted domain, we have the Enterprise CA and the corporate users.

    Do you know if there are a way to specify our Enterprise CA to the FAS?

  7. i’m planning to have a set with Netscaler VPX(From Azure

    Marketplace) in ICA Proxy Mode with 2-factor authentication
    configured via Azure MFA (Cloud based).

    Does this setup require FAS server for VDA single sign on to


    Is it because of limitation with ICA proxy mode. Can I have
    VPX with FULL VPN mode and have VDA single sign on without


  8. Hi Carl,

    I’m planning to have an environment with a Netscaler VPX (ICA proxy – azure market place) with 2 -factor auth configured with Azure MFA(cloud based) . Will I be prompted for credentials when pass through to VDA happens .Do I need to have a FAS set up to have VDA single sign on. ?

    Is there a limitation wrt to ICA proxy with MFA ? If I use a full VPN mode can i eliminate FAS?

    1. If NetScaler collects the user’s AD password and sends it to StoreFront then there is no need for FAS or dual login.

  9. Hi Carl –

    I have OKTA/SAML integrated per (with FAS installed). An SP initiated session works fine… I hit the SF URL, it redirects to OKTA, auth is successful and then kicks it back to Storefront. I can see apps and launch them with no issue. However, when I try and launch from OKTA (IdP initiated), I get directed the the /StoreAuth/SamlForms/AssertionConsumerService URL that is configured in OKTA, but I get an IIS runtime error. There is a corresponding event (ID 1309) for ASP.NET – Event message: An unhandled exception has occurred.

    Any ideas? There’s not a lot out there and Citrix support is SLOW at helping me with this…


    1. I usually prefer to do SAML on NetScaler instead of directly to StoreFront. NetScaler has greater SAML compatibility than direct to StoreFront, which was designed mostly for ADFS.

      1. I agree, but unfortunately at this time, we’re not using Netscaler. Our company uses F5 and I followed a great article on setting up F5/OKTA/Storefront.. Using the SF URL directly, works great with OKTA. But anything via OKTA directly I hit that IIS runtime error page. If I use the OKTA chicklet or if I go through F5 virtual server (which has SP/IdP configured for Citrix), I get that runtime error. Only seems to work via SP-initiated sessions.

        Also, funny thing is – if I go through OKTA and hit that IIS runtime error page ( and then click the address bar and press enter – resending the request myself – I get the ‘Completing authentication… ‘ window. It doesn’t go any further, but it doesn’t error out. And still the only error I ever see is the ASP.NET error when this happens.. no security fails or anything else I have been able to find yet.

          1. Found part of an answer. Needed to have defaultRedirect (web.config) set to /Citrix/STOREWeb of the /Citrix/STOREAuth
            Event Log still shows the ASP.NET error each time still.

  10. Hi Carl, do you know if the FAS mechanism will work with our own hosted Storefront via the Netscaler gateway service offered with Workspace suite?

  11. Hi Carl, i have now a problem that storefront cannot proceed request. Event id 2 and 10. “cannot identify authentication domain” (translated from german). ADFS 2.0 on WS 2008R2, NS 12. 56.20nc. Maybe you have some idea? Thanks

    1. From NetScaler? If so, is NetScaler sending the domain name when it shouldn’t be?

      Is ADFS sending back the user’s UPN? Can StoreFront find a user account in AD that matches the UPN?

      1. Yes, from NS. No, it sends no domain name, in session profile is no sso domain configured. In ADFS i have a claim rule: UPN as LDAP attribute and email as outgoing claim type. At domain where SF is shadow account configured.

        If saml attribute is mail, then it looks like this:

        If we take NameID, then it works fine) And looks like this:

  12. hey guys,

    does saml authentication require a specific version or license? only enterprise and platinum and version 12 of netscaler?

    1. You should be able to bind a SAML Policy directly to the Gateway vServer, which means it should work in all Editions. However, if you do nFactor (AAA vServer), then you need Enterprise.

  13. While installing FAS on step 3, I approved the certificate on the CA. Then the status changed to “Status: The supplied chain does not contain a self-signed certificate”.

    Any ideas?

      1. CA root is an offline root CA. CA certificate is installed on FAS Server in trusted root certificate authorities. The CRL URL in the root CA certificate is not reachable by the FAS Server. Is it necessary that the FAS Server can reach the CRL?

        1. Hey Carl, the issue is solved!
          FAS cannot validate ECDSA root certificates. I had to rebuild the entire offline root CA with (SHA512)RSA as the signature algorithm and the issue was gone. I wrote Citrix to update their documentation.

          Best regards,

  14. Hi Carl, thank you for your post, it is very helpful. We have this error: Http/1.1 Internal Server Error 43549 when we are redirected back to NS after auth.

    We have NS as SP, ADFS as IdP and Oracle OAM as IdP Proxy – it is customer requierement.

    Thanks for any help.

          1. i dont see any events neither in ns.log nor in the aaa.debug. While redirecting there happens nothing in log

  15. Hello,

    We are in this configuration :

    – iDP is keycloak
    – XenApp 7.15 & Federation Service is 7.15
    – Netscaler

    In Active Directory, the UPN is different from the email domain.

    We are not able to authenticated any user. If we create a “shadow acocunt” that has the same UPN as the email adress of the “real” user then we can authenticate with the “real” user password but we see in the store that it is actually the shadow user that are log in. So there is no application available..

    In keycloak, as NameID, we use ’email’.
    When we look at the SAML assertion in Firefox we see that the client return the email adress.

    What is wrong? How can we be connected with the “real” user and not the Shadow one?

    Thanks in advance for your help!

    1. Hello,

      Here is a solution. We use a custom attribut of the user object, for example extensionAttribute10, that contains the UPN of the user (user@domain). In the keycloack “User Federation – mapper” we mapped the email attribut to extensionAttribute10. Now, we can authenticated and launch applications.


  16. Trying to figure out ADFS on the NetScaler with SAML. I have the Base64 exports from our CA servers for both the signing and encryption certificate. When I install the certs on my NetScaler (12.0 56.20) they appear in the ‘Unknown Certificates’ area and I can assign the Encryption cert (IDP) but when selecting the Signing certificate I get an ‘Invalid Certificate’ error.

    1. Are you referring to the SAML Action (Server) on NetScaler? You can select the iDP certificate, which came from ADFS? But the signing cert, which needs a private key, doesn’t work?

      1. correct, the SAML Action (Server) on the NetScaler. Do I need the private key for the Signing Cert? I don’t think that was provided.

        1. The idea is that NetScaler is signing the SAML request, and thus it needs a private key to do that. Then you give your public key to the iDP so it can verify the signature. This can be a self-signed certificate, or your Gateway/AAA certificate.

          1. Similar Issue here:
            The signing cert that was provided to me from the iDP provider (ADFS in this case) when installed on the Netscaler comes up under “Unknown Certs”. The signing cert does not have a private key available.

            I am getting an error of “Malformed Assertion sent to Netscaler; Please contact your system administrator.

  17. Hi Carl,

    we have tested SAML + Citrix FAS via Gateway using a single domain and it works, but Is SAML + Citrix FAS really works via Gateway using multi-domain environment? Search most of the article but not found related to FAS in multi-domain. Do you have any idea is it possible, you help is appreciated.


    1. As long as the user’s email address matches a UPN in one of StoreFront’s trusted domains, I don’t see why it wouldn’t work.

      1. Thank you for your quick reply, Carl.

        Yes, In our testing environment, we have set the user’s email address as UPN for SAML login and any domain trust has configured on Storefront server and set up two-way trust enabled.

        When we tried accessing the gateway URL using Domain A user account (UPN), gateway redirects to SAML page and getting authenticated there, redirects back to storefront webpage and we are able to successfully launch the applications. In similar way, We tried accessing the gateway URL using a test user account (UPN) from Domain B, the gateway redirects to SAML page and getting authenticated there, redirects back to storefront webpage and we are getting an error “Cannot complete your request”.

        Would you please share some article to clear the error message and launch the applications.

        1. What error are you seeing in StoreFront Server > Event Viewer > Applications and Services > Citrix Delivery Services?

  18. Carl, I’ve discovered that with the VDA version 7.15 the Single Sign-on no longer works I’ve also seen some users reporting it in this discussion thread: Stefanos Evangelou & Udo
    And there is also a thread on this issue on the Citrix discussion forums:

    I’ve made a reproduction for this issue in my demo lab and fixed it with a workaround for VDA version 7.15:

    I’ve also tested with VDA version 7.17 and this one works without any problem.

  19. Hi,

    I’m implementing FAS configuration using Google and/or F5 as an iDP. I have two issues. First one is that when entering powershell command to test FAS funtionality I don’t get any response

    PS C:\Windows\system32> Add-PSSnapin Citrix.Authentication.FederatedAuthenticationService.V1

    PS C:\Windows\system32> Get-FasUserCertificate -address HWEHC-F5APM2.hcwtestsaas.local

    PS C:\Windows\system32>

    Second issue is that when I try to enter iDP address (Google as iDP) in StoreFront configuration I get error “An error occured while saving your changes”. I have noticed that when I remove ?-mark from the address URL StoreFront accepts the address, but obviously that won’t work because address is then wrong.

    1. I usually am not able to get SAML to work natively with StoreFront (no NetScaler), so I instead add a NetScaler Gateway to do the SAML Auth.

  20. Hi Carl, NetScaler has a function to generate xml Metadata SAML for IdP. But if i have an xml file from Idp can i import it to NS? I haven’t found it…

      1. Thank you for the answer. NetScaler seems to have export of his own xml metadata:NS Gateway->Policies->Auth->SAML->Servers->Generate Metadata.
        But it is unfortunately not possible to import metadata xml file from IdP… or?

  21. Hi Carl

    Awesome work.

    We have setup a Citrix Cloud + Azure platform and have configured the NS to authenticate to Azure AD via SAML. To make this work we deployed Citrix FAS servers. Getting a session inside or outside the organisation via web browser works fine.

    I am having trouble making Citrix Receiver on domain joined PCs work, it is failing to display the session. The VDA keeps dropping the connections with an event ID 1017 Connection Id 16 from :50671 to port 2598 was unexpectedly closed during its SSL handshake phase.

    I realised the VDA might be expecting a certificate, so I created another store, but this is also failing.

    Any ideas?

    1. Internal Receiver is bypassing NetScaler Gateway. Is that what you want?

      Do you have SSL enabled on your Delivery Groups? You usually don’t need to do that.

      1. Carl

        Ideally no, as we want to LB the StoreFront via NS. Having said this, I have used local host entry on the PC with Receiver to bypass the NS LB and I still get the 1017 error. We do not have SSL enable on DG.

        I disabled FAS for the second Store I created, but I am still unable to launch a session.

  22. Hello,

    Thanks for your article.

    We are using RedHat Keycloak as Idp and 7.15 LTSR as FAS.
    The logon process seems to work but the user cannot acces to any ressources.
    In the Storefront there is this error :

    A CitrixAGBasic Login request has failed.
    Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticatorException, Citrix.DeliveryServicesClients.Authentication, Version=, Culture=neutral, PublicKeyToken=null
    Authenticate encountered an exception.
    at Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticator.Authenticate(HttpRequestBase clientRequest, Boolean& passwordSupplied)
    at Citrix.Web.AuthControllers.Controllers.GatewayAuthController.Login()

    System.Net.WebException, System, Version=, Culture=neutral, PublicKeyToken=b774e089
    The remote server returned an error: (403) Forbidden.
    ExceptionStatus: ProtocolError
    ResponseStatus: Forbidden
    at System.Net.HttpWebRequest.GetResponse()
    at Citrix.DeliveryServicesClients.Utilities.HttpHelpers.ReceiveResponse(HttpWebRequest req)
    at Citrix.DeliveryServicesClients.Authentication.TokenIssuingClient.RequestToken(String url, RequestToken requestToken, String primaryToken, String languages, CookieContainer cookieContainer, IEnumerable`1 acceptedResponseTypes, IDictionary`2 additionalHeaders)
    at Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticator.Authenticate(HttpRequestBase clientRequest, Boolean& passwordSupplied)

    Any idea??


    1. The iDP sent back the user’s email address? NetScaler Gateway extracted the email address and sent it to StoreFront? StoreFront is able to find a matching AD account using the user’s email address as UPN? NetScaler is not sending any domain name? FAS is enabled on StoreFront? StoreFront is configured to fully delegate authentication to NetScaler Gateway? Callback URL is configured in StoreFront? Any errors on the FAS server?

  23. We have FAS setup with a netscaler gateway as mentioned above. We have some users that get the “cannot complete your request” After they put in their creds to the ADFS server. It appears to be failing before Storefront. We do see some errors in SF and on the fed auth servers about accounts being disabled [S102} but the accounts and the shadow accounts are all enabled. If the user tries a few times in short succession it lets them in. Any ideas?.

    1. My suspicion is that Citrix Support would need to examine CDF traces to determine the cause of the intermittent issue.

    2. Were you ever able to get this resolved? Any indication of what the problem was? We are seeing the exact same behavior (also seeing Kerberos TGT rejections on the DCs.) Thanks!

  24. Hi Carl,

    Thank you for all the useful info you’ve provided on this site. I’m interested in using this for my environment, currently we’re using ldap auth. Since implementing FAS requires modifying storefront and vda to accept saml and certificate auth, will this affect ldap auth or will these new settings simply get ignore if its not being used? In other words, if i create two different auth policy on the Netscaler (ldap and saml) can the two auth methods co-exist on the same storefront and VDA?


    1. Once FAS is enabled on a StoreFront server, it will create certificates for every user of that StoreFront server. I typically create separate Stores for each FAS and non-FAS.

      1. Hi Carl,

        Can I create two separate stores on one Storefront server – one FAS enabled and one NON-FAS or will enabling FAS affect all stores on the server?


  25. Hi Carl

    I want to integrate Netscaler SAML authentication with Azure AD, i have 3 customer each one of them has Azure AD.

    Can i create SAML authentication policy for each customer with SAML idp server ? pls note i have only one netscaler here.

    Each customer has his own citrix Farm at the backend.

    1. If users go to the iDP first, then you might be able to bind multiple SAML SP policies to the NetScaler Gateway.

      However, if the user goes to NetScaler Gateway first, then NetScaler might not know which iDP to redirect the user to.

        1. In Azure AD, create the NetScaler Gateway SP application. Users go to the Azure AD portal and there should be an icon for NetScaler gateway.

          1. Hi Carl

            Can you please send me citrix document which shows me how o create Netscaler SP in Azure AD .

            Thank you in advance

            Best Regards

  26. I plan to use PingFederate services (with SAML Browsing) to authenticate my users during the netscaler access process. Is the FAS required in this case ? what will happen if i don’t install FAS ? the VDA logon won’t be SSO passtrough ? Will i get a prompt to reenter a username/pwd on the XA/XD workloads ?

    1. Without FAS, the VDA will prompt the user to enter username and password. This is the password for the shadow account, not the iDP account.

  27. Hi Carl, in Step 11 under ‘FAS Group Policy’ section, I think you need to add FAS, VDA and SF servers from Domain B to Windows Authentication Group in Domain A as per CTX220497….. not Domain B.

    Which brings the obvious question – how can step 11 be accomplished without a 2 way trust in place? If 2 way trust is needed, why bother eith FAS then?

    Kind regards

    1. Thanks for pointing that out. It should be updated now.

      I suspect the multiple domains in this case pertains to the shadow accounts being in a different domain than the Citrix machines.

  28. Hello Carl,

    I have the following environment:

    1) Domain A, where our office users reside. This domain only has the local user workstations which run Citrix Receiver with SSO configured. Domain A also has ADFS v4 (WIndows Server 2016) which is used as SAML IDP. We need to have users logging in to domain A to be able to SSO to our XenDesktop 7.15 LTSR VDAs which are deployed in domain B (see below).

    2) Domain B, where we have a XenDesktop 7.x delivery site, with 7.12 delivery controllers, 7.15 LTSR storefront servers and 7.15 LTSR VDA. We also have separate Citrix FAS server configured (latest version from VDA LTSR 7.15 binaries) and working with domain B PKI infrastructure (WIndows Server certificate services enterprise root CA). We have Netscaler VPX 10.5 configured with Netscaler Gateway, which is used as SAML SP.

    The issue is the following:
    When a user logs on to their local machine in domain A, they open a Web browser and point to the URL of Netscaler Gateway. They are automatically logged on to Netscaler Gateway via SAML and the the Storefront page is shown where the user can click on a published desktop. When the desktop is being launched, it gets all the way to the VDA machine, where the Windows Server LogonUI is shown but user does not get automatically logged on, screen stops at VDA logon. It seems that the necessary user certificates are not automatically populated, even though there are no errors in the FAS server. Even if we populate the user certificates via Powershell, the logon still stops on the VDA LogonUI screen.

    I have checked event logs on DDC, VDA, Storefront, FAS and PKI servers without any apparent sign. Any ideas on what else I could be checking?

  29. Hi Carl,

    Is there any way to integrate Netscaler with multiple Azure AD account, My scenario is using only one VIP with multiple saml policy for external Auth, group A has its own SAMl policy and their own Citrix ( Storefront, Delivery controoler, VDA ..) and group B has the same as group A, is there any way to tell the netscaler which saml to use for authentication if the user come from Group A, or Group B ?

    Thank you in advance.

    Kindest Regards
    Basem Shalabi

    1. Maybe if iDP initiated since I don’t think Citrix has an easy way to allow users to choose an iDP without using multiple FQDNs. Then maybe you would need Default Syntax Session Policies with expressions like http.REQ.USER.LOGIN_NAME.SET_TEXT_MODE(IGNORECASE).CONTAINS(“”) to select the correct Session Policy for each iDP.

      1. Thank you Carl, i did not find that expression from the expression drop down list , Can i add this expression at the SAML policy level ?

        Thank you.

        1. Default Syntax for Session Policies requires NetScaler 12. The expression would only work after a login has been performed, not before.

          You could use HTTP.REQ.URL.HOSTNAME.EQ(“”) to select a SAML Policy based on a unique FQDN. This implies that the certificate matches multiple FQDNs. And assumes Default Syntax Authentication Policies (nFactor) instead of Classic Expression.

  30. I’m having issues when accessing storefront from a IDP. I get “cannot complete request”. From the event log on Storefront I get two errors:

    Access is denied. Contact your system administrator.

    Followed by:

    A CitrixAGBasic Login request has failed.
    The remote server returned an error: (403) Forbidden.

    I belive that the SSO from netscaler to storefront is the problem. I have checked my session policies multiple times. There is a CS(content switch) in front of the Netscaler vserver.

    1. One of your StoreFront servers should have an event indicating an issue with the Callback URL.

      Or, in StoreFront Console, go to Stores. in the middle, right-click your store. Click Manage Receiver for Web sites > Configure > Advanced. The third line is “loopback”. Change the drop-down from On to OnUsingHttp.

    2. In case anybody else is having the same issue:

      Mine was caused by me copying an existing session policy with SSO domain filled from before. I had to enable the field and clear it’s contents, then save. To have Netscaler SSO to Storefront.

  31. Hi Carl

    I made FAS working and was able to startup published desktop and apps (WS 2016, XA 7.15). But now it stopped and I get the message “wrong username or password” at the login (blue background of WS 2016, NOT a blue screen).

    I verified FAS and see the certs with the PS command.

    Any hint where I can look into?


          1. So I found out that 2 of 3 VDA have this problem. When I connect to the first, everything is working fine all the time (publ app and desktop). VDA 2 and 3 showing this error every login.

            So I double-checked the FAS rule and the list of VDA includes all 3 VDA and rule is set to apply. I removed VDA 2 and 3 and re-added them but still no success.

          2. They are in the correct OU that gets the GPO that enables FAS? Check HKLM\Software\Policies\Citrix and somewhere under there is the FAS address.

          3. Argghhh – you made my day! The GPO was not linked to the correct OU. I worked with FAS earlier this year and only adjusted the server name but not the linked OU.

            Thanks a lot!

          4. Didn’t hold that long… I can start published apps but with the desktop I’m getting the same error again.

            Any hint?

  32. Carl,

    I was wondering in you knew if it was possible to store the FAS RA private key on and HSM and still store the smart card logon keys on the FAS server? If so, could you point me in the right direction of configuring this? Based on my research, its seems you have an all or nothing option on where to store private keys (FAS, TPM, or HSM). Thanks in advance

  33. Thank you for all this information, it has been very usefull.
    Do you happen to know how i can set the ‘Fully delegate credential validation to NetScaler Gateway’ option with powershell?
    I ask because i have a storefront deployment with multiple iis sites so i can not use the console.

    1. I figured it out, maybe usefull for someone else:
      set-STFCitrixAGBasicOptions -AuthenticationService $auth -CredentialValidationMode Auto

  34. Thanks for the hard work Carl,
    Im having trouble wrapping my head around something. After I configure FAS and users are being logged into the VDA with certificates, when users access other service providers (within the VDA), such as office 365, or gmail, is SSO available? Is that where the Group policy setting “In-Session Certificates” comes in? We us Shibboleth as our idp.

    1. Password is not available. If you need password for SSON, then it won’t work. But Kerberos should work fine (e.g. ADFS with Integrated Windows Authentication).

        1. FAS is needed if you want to SSON to the VDA. Otherwise, the VDA will ask the user to login to the domain with username and password.

  35. Hi Carl,

    An update: I checked old logs and it looks like the SP-init SLO never worked properly. I don’t see any instance where the NetScaler has sent a SAML SLO to PingFederate. Other then specifying the “Single Logout URL” in the NetScaler config, is there something else we need to do to enable SLO from StoreFront?

    We tried to follow the aforementioned Citrix doc (, but its unclear where to bind the TM action/policy. Can you provide some guidance and/or links to docs on how to do that with NeScaler 11.1 and StoreFront 3.9?

    Your help is much appreciated!



  36. Hi Carl,

    We are trying to configure SLO between NetScaler 11.1 and PingFederate. What wasn’t clear in Citrix documentation was what SLO endpoint to use on the NetScaler. I did find a Citrix support doc ( that indicated a URL of:

    Is that the correct URL? That support doc discusses SP-init SLO…does the NetScaler support IdP-init SLO? In our testing the SP-init SLO seems to work fine, but when we send a SAML SLO assertion to that same endpoint we don’t get a response…and the user’s session isn’t terminated in StoreFront.



  37. Hi Carl,

    I’m planning to upgrade XenApp with latest version 7.14.1, also would like to upgrade SAML with latest one, Is there any upgrade docs for SAML?


      1. Thanks for the quick reply Carl.

        Yes It’s FAS. Do I need to make any changes/upgrade on CA (Certificate Authority) server as well? Would you please help me upgrade sequence for XenApp 7.12 to 7.14.1?

        This is what I’m planning: VDA -> Delivery Controller -> StoreFront


  38. Karl, I also ran the Verify FAS procedure above and FAS is generating certs. Can I assume if I am getting “The UserID or Password is incorrect” message, then the generated cert is not correct? Thanks.

  39. Hi Carl

    Thank you for article. i have configured Citrix FAS for citrix authentication. netscaler has configured with Azure AD idp . When i am trying to start Application i am keep getting windows Login Prompt. all delivery agent servers able to communicate with FAS and domain controllers, but the is no problem in application start for different VDAs which is located in different network segment.

    Would you please advise

    Thank you.

  40. Karl, I get this message when I launch an app. I get a windows sign in screen with “The user name or password is incorrect”. I have looked for events on the S.F., FAS, and DC servers. Any ideas where to look? Thanks

  41. Is there a possibility to have two FAS servers ? build a loadbalanced FAS, just like any other component is HA in my Citrix,

  42. Hi Carl

    Can you use a Standalone CA (i.e., not an Active Directory integrated CA) in using FAS, as long as you add the cert of your standalone CA to the Trusted Roots store on your VDAs/Storefront servers?


    1. The Enterprise CA is needed to issue certificates for each user and link them to Active Directory users.

      1. Hi Carl,

        I am totally new to ADFS and would like to learn and get a better understanding of how it can be used for enabling users from Domain A (client domain) to be able to launch a XenApp or XenDesktop session in Domain B (resouce domain) the two domans do not trust each other. Both domains are in the same organization all be it they live in two separate network subnets with a firewall. Can I acheive this using the steps you have shown?


        1. Yes. If internal only, then StoreFront has native support for ADFS and FAS.

          Note: you must create accounts in Domain B for each of your users. The passwords don’t matter. The Domain B users are for authorization and identity mapping. What SAML does is avoid you having to synchronize passwords between the domains. And when you delete a user from Domain A, it can no longer be used to login to Domain B.

          1. Thanks Carl for your quick reply. I take it I will first need to configure ADFS services on both domains before I proceed with the Citrix configuration steps? If so would you be able to suggest any good blog/guides for configuring ADFS.

          2. So I need only need to configure ADFS in the resource domain. Or is it the client domain which is where the identity and passwords will be provided from? I can’t seem to get my head round this one 🙂

        1. I doubt it.

          Can it automatically generate smart card certificates for windows interactive AD authentication? And can FAS tell it to generate those certs?

  43. Hi Carl,

    After logging in ADFS opens with an error page. In eventlog:

    Encountered error during federation passive request.

    Additional Data

    Protocol Name:

    Relying Party:

    Exception details:
    Microsoft.IdentityServer.RequestFailedException: MSIS7065: There are no registered protocol handlers on path /adfs/ls to process the incoming request.
    at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

    I can open /adfs/ls/idpinitiatedsignon.aspx and I see my relying parties. When selecting NetScaler Gateway I get Http/1.1 Service Unavailable

    Any idea what this could be?


    1. Hi Mark,

      have you been able to fix this issue with MSIS7065? I am facing exactly the same problem..

      Thank you for your reply

  44. This is a great article Carl. Question after i do the SAML authentication I can see the desktop and published apps. When i launch the application i get the desktop logon screen before federated authentication i was able to launch the app. Can you point me in the right direction.

Leave a Reply