amolari
Jun 01, 2015Cirrus
SAML and XA/XD
Hi
I have the following scenario: XD 7.6/Storefront 2.6, an IdP which is not ADFS. Deployment on the BIGIP is LTM+APM (replacing StoreFront). We want to have users authenticated with SAML (APM a...
There are couple of ways to handle it. If you keep Storefront, then there is no need for APM to use KDC, as StoreFront will use Gateway authentication mechanism and grab the username from APM in that call - but, of course the challenge of starting user's ICA session without password(i.e. using same KCD mechanism as what worked in 6.5) is still there - as it does not work. When APM acts as Storefront replacement, it is also capable of sending a Kerberos ticket to the DDC if needed - that has been supported since 11.4.0.
The culprit here though is Citrix backend infrastructure. It simply does not support/allow for the same legacy way of using Kerberos to launch XA apps in the current versions - and I have not heard of them bringing it back - although if they do, it would be very interesting and good for quite a few customers, I'd imagine.