Site icon BLOGS

SAML Authentication Between CVAD & Azure AD with Azure MFA & Citrix FAS

by Manuel Winkel, CTA

As a result of increasing projects, here is a small How To with the following points:


SAML Authentication (Azure AD as IdP & Citrix Gateway as SP)

SAML Authentication with Azure AD as IdP and Citrix as SP

Active Directory
If the UPN is not the same in Azure AD and in the on-premises Active Directory, the UPN must be modified.

Azure Active Directory

To connect our upcoming Service Provider, we now need to create a custom application in the Azure Active Directory.

To allow users to use SAML authentication for Citrix, they must be assigned to the application.

Citrix ADC

Finally, the Citrix ADC must be configured to communicate with the Identity Provider (Azure-AD).

Confirm this with Bind.

In order to complete the configuration on the Citrix ADC, we only need to bind the newly created SAML Authentication Policy to our Gateway Virtual Server.

Unbind all connected LDAP or RADIUS authentication policy from the vServer.

Citrix Federated Authentication Service (FAS)

Certificate Authority

Now the domain controller must be issued a certificate of the local CA.

Citrix Federated Authentication Service

Now we can install and configure the FAS server. In my example, I install the FAS Part on the StoreFront server.

C:\Program Files\Citrix\Federated Authentication Service\PolicyDefinitions

Computer Configuration \ Policies \ Administrative Templates \ Citrix Components \ Authentication

HKEY_LOCAL_MACHINE \ SOFTWARE \ Policies \ Citrix \ Authentication \ UserCredentialService \ Addresses
Or / And
HKEY_LOCAL_MACHINE \ SOFTWARE \ WOW6432Node \ Policies \ Citrix \ Authentication \ UserCredentialService \ Addresses

The following window configures the FAS.

The now approved certificate normally expires in 2 years.
It is therefore recommended to include this certificate in the monitoring so that the certificate is renewed before its expiry..

Here are the PowerShell commands to get the expire date (Replace CTX01.deyda.local with FAS server).

Add-PsSnapin Citrix.Authentication.FederatedAuthenticationService.V1
Get-FasAuthorizationCertificate -FullCertInfo -address CTX01.deyda.local

Restrict the users who can log in to Citrix via SAML. By default, the group Domain Users is stored here, which can stay that way.

Under Manage VDA permissions narrow down the list of Citrix Workers to which log in via SAML. By default this stands on Domain Computers, which can stay that way.

After everything is defined click on Next and in the last window on Create


Now we configure the StoreFront server so that it can talk to the FAS server.

Get-Module "Citrix.StoreFront.*" -ListAvailable | Import-Module
$StoreVirtualPath = "/Citrix/Store"
$store = Get-STFStoreService -VirtualPath $StoreVirtualPath
$auth = Get-STFAuthenticationService -StoreService $store
Set-STFClaimsFactoryNames -AuthenticationService $auth -ClaimsFactoryName "FASClaimsFactory"
Set-STFStoreLaunchOptions -StoreService $store -VdaLogonDataProvider "FASLogonDataProvider"

Get-Module "Citrix.StoreFront.*" -ListAvailable | Import-Module
$StoreVirtualPath = "/Citrix/Store"
$store = Get-STFStoreService -VirtualPath $StoreVirtualPath
$auth = Get-STFAuthenticationService -StoreService $store
Set-STFClaimsFactoryNames -AuthenticationService $auth -ClaimsFactoryName "standardClaimsFactory"
Set-STFStoreLaunchOptions -StoreService $store -VdaLogonDataProvider ""

In Manage Citrix Gateways, add a new gateway or edit an existing one to connect to the Citrix Gateway which will later be used as SP.

Important here is that also in the internal DNS the callback address is deposited.

Delivery Controller

The XML Trust must still be activated on the Delivery Controller if this is not already activated.

asnp citrix.*
Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $true

In the newer version of CVAD (>1906) a Citrix Cloud window follows after executing the PowerShell commands, for the Citrix Cloud credentials.

Microsoft Azure Multi-Factor-Authentication with Conditional Access

You can find more detailed background information on this topic here.

Conditional Access

Convert users from per-user MFA to Conditional Access based MFA

Before the following script works, a connection to Azure AD must be established. Execute the following lines.

# Install and Connect to Azure AD
Install-Module MSOnline
$Msolcred = Get-credential
Connect-MsolService -Credential $MsolCred

Save the following code into a PS1 file and execute it to swivel the MFA method.

# Sets the MFA requirement state
function Set-MfaState {
Process {
Write-Verbose ("Setting MFA state for user '{0}' to '{1}'." -f $ObjectId, $State)
$Requirements = @()
if ($State -ne "Disabled") {
$Requirement =
$Requirement.RelyingParty = "*"
$Requirement.State = $State
$Requirements += $Requirement
Set-MsolUser -ObjectId $ObjectId -UserPrincipalName $UserPrincipalName `
-StrongAuthenticationRequirements $Requirements
# Disable MFA for all users
Get-MsolUser -All | Set-MfaState -State Disabled

List of configured MFA users

# Identify registered users
Get-MsolUser -All | where {$_.StrongAuthenticationMethods -ne $null} | Select-Object -Property UserPrincipalName | Sort-Object userprincipalname

List of unconfigured MFA users

# Identify non-registered users
Get-MsolUser -All | where {$_.StrongAuthenticationMethods.Count -eq 0} | Select-Object -Property UserPrincipalName | Sort-Object userprincipalname

Authentication App

We now log in to MFA Setup ( with our test user to configure the Authentication App on the mobile device.

If the test user does not yet have a configured second factor, the following message appears. The configuration can be started with Next.



If we now open the FQDN of the gateway ( via browser.

We will be forwarded directly to Azure-AD and can authenticate ourselves there.

We get our Citrix resources listed and can start them.

You can visit me on my website: or follow me on twitter: Manuel Winkel.

Exit mobile version