Citrix has announced that they have released a technology preview of SAML authentication for XenApp and XenDesktop running on top of version 7.8.
With this preview, Citrix has enabled SAML federated identity for logon, starting at NetScaler, through StoreFront and on to the workstation or terminal server VDA. The result is user access to XenApp and XenDesktop with identity rooted to an identity provider outside the XenApp/XenDesktop/Active Directory world.
How it works
The black boxes in the diagram are the technical preview. This includes:
1. StoreFront code to communicate with User Credential Service for federated single sign-on operations
2- Addition of a new service, the User Credential Service to map IdP identity into AD identity
3. VDA enhancements (Terminal service and workstation) to log user on using UCS
Active Directory supports primarily two authentication types, 1) username/password and 2) smart card. In the SAML case, user authentication occurs on the identity provider, and the IdP statement of identity is used by StoreFront and the User Credential Service to log the user onto the domain. The process is initiated by the Receiver for web (RFWeb) or HTML5 Receiver access to NetScaler/StoreFront, which redirects to the identity provider, where user logon occurs. A SAML assertion is given to the NetScaler, signed by the IdP, indicating that the user is authenticated. NetScaler hands the single sign-on request to StoreFront, who uses the User Credential Service to complete the logon to XenApp/XenDesktop and Active Directory.