Forum Discussion

amolari's avatar
amolari
Icon for Cirrus rankCirrus
Jun 01, 2015

SAML and XA/XD

Hi

 

I have the following scenario: XD 7.6/Storefront 2.6, an IdP which is not ADFS. Deployment on the BIGIP is LTM+APM (replacing StoreFront). We want to have users authenticated with SAML (APM as SP). To have a SSO experience we would need to have auth pass-through (Kerberos constrained delegation) on the APM towards the DDC. It seems it was possible with XA/XD 6.5 but not with 7.6 and should be possible in the next release.

 

My concern is the APM-DDC communication. Will that be able to support Kerberos Auth? APM at this time only seems to be able to provide the credentials in username/password format.

 

Any inputs please?

 

Thanks

 

Alex

 

APM
citrix
deployment
saml
security

1 Reply

Sort By
  • Michael_Koyfma1's avatar
    Michael_Koyfma1
    Icon for Cirrus rankCirrus
    Jun 02, 2015

    There are couple of ways to handle it. If you keep Storefront, then there is no need for APM to use KDC, as StoreFront will use Gateway authentication mechanism and grab the username from APM in that call - but, of course the challenge of starting user's ICA session without password(i.e. using same KCD mechanism as what worked in 6.5) is still there - as it does not work. When APM acts as Storefront replacement, it is also capable of sending a Kerberos ticket to the DDC if needed - that has been supported since 11.4.0.

     

    The culprit here though is Citrix backend infrastructure. It simply does not support/allow for the same legacy way of using Kerberos to launch XA apps in the current versions - and I have not heard of them bringing it back - although if they do, it would be very interesting and good for quite a few customers, I'd imagine.