This article illustrates how to configure StoreFront 3.9 and Active Directory Federation Services for Windows Server 2016. This will demonstrate how to configure both StoreFront and ADFS using SAML metadata exchange.

Getting Started

This article assumes that you have already deployed ADFS and StoreFront, and created a StoreFront store. For the purposes of this article we will assume the following:

As the configuration will be utilizing SAML metadata exchange, the two metadata endpoints will be required:

Step 1: Configure StoreFront

First ensure that the SAML Authentication method is enabled, by opening the StoreFront management console, select the store that you wish to use SAML with, and then select “Manage Authentication Methods”

upgrade-1

Ensure that “SAML Authentication” is enabled:

enable-saml

Next open a PowerShell window, running as Administrator and type the following:

Get-Module "Citrix.StoreFront*" -ListAvailable | Import-Module

# Remember to change this with the virtual path of your Store.

$StoreVirtualPath = "/Citrix/Store"

$store = Get-STFStoreService -VirtualPath $StoreVirtualPath

$auth = Get-STFAuthenticationService -StoreService $store

Update-STFSamlIdPFromMetadata -AuthenticationService $auth -Url https://idp.example.com/FederationMetadata/2007-06/FederationMetadata.xml

The Store is now configured to trust assertions from ADFS.

Step 2: Configure ADFS

On the ADFS server open the “AD FS Management” administration tool, and select to “Add a Relying Party Trust…”

1-add-rp-trust

This brings up the following:

2-claims-aware

Accept the default of “Claims aware” and select “Start”.

3-set-metadata

The trust is configured from the StoreFront metadata, so select “Import data about the relying party published online or on a local network” and enter the StoreFront metadata endpoint, then select “Next”.

4-displayname

Accept the suggested display name, or overwrite with a more meaningful name, and the select “Next”

5-access-control

This dialog allows the configuration of access control policies for ADFS. This configuration is outside the scope of this article, so accept the default of “Permit everyone” and select “Next”

6-review-trust

This dialog allows the review of the information imported from the StoreFront metadata, you can review the values and then select “Next”

7-claims-issuance

Accept the default to “Configure claims issuance policy for this application” and select “Close”

The following dialog should open automatically, if not then in the AD FS Management console, select the Relying Party Trust just created and then select “Edit Claim Issuance Policy…”

8-edit-claims-issuance

Select “Add Rule”, and select “Send LDAP Attributes as Claims”, as follows, then select “Next”

9-select-rule-template

Fill in the resulting dialog, as follows, then select “Finish”

10-upn-as-nameid

Select “OK” to complete the ADFS configuration

11-finish

Step 3: Test

The solution should now be configured, which you can verify by pointing a browser at the test page, the Url of which can be obtained using the PowerShell described here: http://docs.citrix.com/en-us/storefront/3-9/sdk-overview.html#par_anchortitle_a8db. After authenticating to ADFS, the test page will display information like the following:

Test

Note that by default, the returned SAML assertion is both signed and encrypted.

Configuration of Artifact Resolution

SAML can be configured so that the assertion is not returned to the client, instead an artifact is returned that the Service Provider can redeem for the assertion directly from the IdP.

As a pre-requisite, the artifact resolution endpoint must have been enabled in ADFS, which can be verified in the AD FS Management console

artifact-resolution-enabled

Note: If you have to enable the artifact resolution endpoint here, then at the end of this procedure you will have to use the PowerShell to update the StoreFront configuration from the IdP metadata.

To configure StoreFront for artifact resolution, first open a PowerShell window running as Administrator, then enter:

Get-Module "Citrix.StoreFront*" -ListAvailable | Import-Module

# Remember to change this with the virtual path of your Store.

$StoreVirtualPath = "/Citrix/Store"

$store = Get-STFStoreService -VirtualPath $StoreVirtualPath

$auth = Get-STFAuthenticationService -StoreService $store

Set-STFSamlRequireArtifactResolution -AuthenticationService $auth -Required $true

Next in the AD FS Management console, select the StoreFront Relying Party trust and select “Update from Federation Metadata…”

update-metadata

In the resulting dialog, select “Update”

update-metadata-2

Finally use the test page to verify the solution

More Information

Further information can be found on the Citrix Documentation site:

blog-banners-footer-8