Citrix StoreFront Integration

Introduction

Multi Factor Authentication (MFA) is an extra layer of security used when logging into websites or apps. Individuals are authenticated through more than one required security and validation procedure that only you know or have access to.

Citrix StoreFrontTM is an enterprise application store that provides an interface for users to access Citrix WorkspaceTM desktops and applications remotely. Acceptto is a Citrix Ready Partner integrates with Citrix StoreFront via its SAML solution and provides single sign-on (SSO) MFA to ensure customers use the convenience of cloud SSO without its potential security risks.

Pre-Requisites
  1. An Acceptto Appliance connected to your user directory (for example MicrosoftTM ‘Active DirectoryTM’).
  2. The user population that is going to be authenticated via SAML must be enrolled in the It’sMeTM mobile Application.
  3. A user with administrative privileges for the Citrix StoreFront.
  4. A user with administrative privileges for the Acceptto Appliance.
Getting your Citrix StoreFront information
  1. On the StoreFront server, open an elevated PowerShellTM and run the command asnp citrix* to load the Citrix modules.
  2. Powershell window
  3. Once the modules are loaded, run the below command to fetch the Service Provider Information (Remember to change the value of “/Citrix/Store” with the virtual path of your Store).
  4. $storeVirtualPath = "/Citrix/Store" 
        $auth = Get-STFAuthenticationService -Store (Get-STFStoreService -VirtualPath $storeVirtualPath) 
        $spId = $auth.AuthenticationSettings["samlForms"].SamlSettings.ServiceProvider.Uri.AbsoluteUri 
        $acs = New-Object System.Uri $auth.Routing.HostbaseUrl, ($auth.VirtualPath + "/SamlForms/AssertionConsumerService") 
        $md = New-Object System.Uri $auth.Routing.HostbaseUrl, ($auth.VirtualPath + "/SamlForms/ServiceProvider/Metadata") 
        $samlTest = New-Object System.Uri $auth.Routing.HostbaseUrl, ($auth.VirtualPath + "/SamlTest") 
        Write-Host "SAML Service Provider information: 
        Service Provider ID: $spId 
        Assertion Consumer Service: $acs 
        Metadata: $md 
        Test Page: $samlTest"

    The sample output of the above command looks like this:

    SAML Service Provider information: 
            Service Provider ID: https://StoreFront™.example.com/Citrix/StoreAuth 
            Assertion Consumer Service: https://StoreFront™.example.com/Citrix/StoreAuth/SamlForms/AssertionConsumerService 
            Metadata: https://StoreFront™.example.com/Citrix/StoreAuth/SamlForms/ServiceProvider/Metadata 
            Test Page: https://StoreFront™.example.com/Citrix/StoreAuth/SamlTest
Acceptto SAML Configuration as an Identity Provider (IdP)
  1. Login to the Acceptto Appliance admin panel with an administrative account and go to Applications.
  2. Admin Panel create app button
  3. Create a new application by selecting the Create New Application.
  4. In the Add Application dialog, enter the following values ( Advanced Options button allows additional optional configuration):
  5. App Name - the application name to be displayed in the admin panel and application portal. For example, Citrix

    Issuer or Entity ID - The Issuer/EntityID of your StoreFront instance you got from the previous section. For example,https://StoreFront™.example.com/Citrix/StoreAuth

    Sign in URL - The link used by your users to access the StoreFront. Like, https://StoreFront™.example.com/

    Metadata URL - The URL containing metadata about your StoreFront instance you got from the previous section. For example, https://StoreFront™.example.com/Citrix/StoreAuth/SamlForms/ServiceProvider/Metadata

    ACS URL> - The StoreFront post-back URL you got from the previous section. For example, https://StoreFront™.example.com/Citrix/StoreAuth/SamlForms/AssertionConsumerService

  6. Click Save> to create the Application.
  7. Select the Show ID Provider Data and copy the information shown on this page.
  8. Show provider data
Configure Citrix StoreFront as Service Provider (SP)
  1. On the StoreFront console, enable the SAML Authentication under the Manage Authentication Methods.
  2. citrix storefront dashboard
  3. Open an elevated PowerShell on StoreFront™ server and run the below commands (Remember to change the value of “/Citrix/Store” with the virtual path of your Store).
  4. Get-Module "Citrix.StoreFront™*" -ListAvailable | Import-Module  
            $StoreVirtualPath = "/Citrix/Store" 
            $store = Get-STFStoreService -VirtualPath $StoreVirtualPath 
            $auth = Get-STFAuthenticationService -StoreService $store 
            Update-STFSamlIdPFromMetadata -AuthenticationService $auth -FilePath "File path of the metadata file you downloaded from Acceptto”
Test your setup
  1. Go to your Citrix StoreFront URL. You will be redirected to the Acceptto SAML page.
  2. acceptto sign in page
  3. After successful authentication, you’ll see the Acceptto MFA options and need to select your desired method and pass the verification stage on your It’sMe mobile app.
  4. acceptto mfa authenticator
  5. Finally, you will be redirected to your Citrix StoreFront landing page.
Support

If you require assistance, please email us at support@acceptto.com

Sales

Want to learn more about our MFA solutions? Contact our Professional Services for a Demo today.

Disclaimer

All product names, trademarks, and registered trademarks are the property of their respective owners.
All company, product, and service names used in this document are for identification purposes only. Use of these names, trademarks, and brands does not constitute endorsement by the Acceptto Corporation.
Citrix, NetScaler, and ‘Netscaler Gateway’ are either registered trademarks or trademarks of Citrix and/or one or more of its subsidiaries in the United States and/or other countries.
Microsoft and 'Active Directory' are either registered trademarks or trademarks of Microsoft and/or one or more of its subsidiaries in the United States and/or other countries.