Home » KBArticles » Configure NetScaler Gateway SAML to Google with Citrix Federated Authentication

Configure NetScaler Gateway SAML to Google with Citrix Federated Authentication


 * Citrix FAS Service installation
 * XA/XD 7.6 or newer
 * StoreFront 3.6 or newer (I’ve tested with 3.9)
 * SAML Provider acting as the iDP (Google in this instance)
 * NetScaler Gateway configured as the SAML Service Provider (SP)
 * Active Directory Certificate Services
 * Access to edit Windows GPOS and OUs to assign the CFAS service its service location

Install The Citrix Federated Authentication Service (CFAS)

Step Description Screenshot
Mount the XA/XD ISO on your server and select the Federated Authentication Service
Read the license agreement and make your choice
Click Next
Click Next
Click Install
Click Finish
Create the GPO to point the FAS server to itself (see step 9)

When the GPO exists the ‘address’ field will be filled in for you automatically

Copy the Citrix ADMX files from C:\Program Files\Citrix\Federated Authentication to Active Directory

c:\windows\policydefinitions Service\PolicyDefinitions


Edit group policy to have the server point to itself for FAS

open gpmc.msc

browse to Computer > Administrative Templates: Policy> Citrix Components > Authentication

Enter the DNS server address of the server hosting the FAS service (as per screenshot)

Note: the VDA(s), the StoreFront and the FAS server all need to have this policy applied

run gpupdate /force
Right click the CFAS Administration console and always Run As Administrator
You should now have the CFAS server listed

Click OK

Click on Step 1 – Start Button
Click OK
You can verify the creation of the templates in ADCS
Once this is completed without errors click Start on Step 2
Click OK
Finally click Start on Step 3
Click OK
The console is waiting for the request to be approved (issued) from the AD Certificate Services
Log into the ADCS and Approve the pending Certificate request

Right click the Pending request

Select All Tasks

Select Issue

Step 3 will go green
Click the User Rules tab and configure CA, CT and Access Control Lists if appropriate
Click Edit and Add the StoreFront Server to be able to use the ‘rule’

Remove domain computers as they will be set to ‘deny’

Click Apply

Create NetScaler SAML Policy to 3rd Party iDP (Google)

In this section we will create a new SAML Policy for the NetScaler to use Google as the SAML iDP.

Note: this cannot currently be bound to a Gateway when using the NetScaler RFWebUI ‘theme’.

Step Description Screenshot
Connect to admin.google.com
Click Apps
Click SAML Apps
Click the + to add a new SAML Application
Select Setup my own custom app
Take note of the IDP data you are provided and copy and paste your URL

Be sure to DOWNLOAD the Certificate and save this for uploading to the NetScaler later.

Describe your new app
Note: the default ACS URL for the NetScalers must have a trailing /cgi/samlauth
Click Finish

Summary of the App SSO Setup in the Google admin panel
Be sure to enable the new Application

click the three dots


ON for everyone

Note: this new configuration will take up to 24 hours to be available. Prior to this being ready you may get a ‘user not found’ message.

Note: users will have access to a shortcut to this new app in their Google Console
Upload the Google IDP Certificate to the NetScaler
Install the CA Certificate
Here you can see the certificate installed as another CA Certificate
Expand NetScaler > Security>AAA – Application Traffic>Policies>Authentication>Basic Policies>SAML>Policies>Servers

Enter appropriate details for your new SAML profile

Note: the redirect URL and Single Logout URL will be unique to your Google account

Create a new SAML Authentication Policy

set the expression of this policy to ns_true

Link that to the newly created Google SAML Server

Bind this policy to your NetScaler Gateway

Click the + against Basic Authentication

Note: You may need to remove other Authentication policies (like LDAP) from the bound authentication before adding the SAML policy as the Primary method.

Choose SAML

Choose Primary

Click Continue

Select the SAML binding
Edit the NetScaler Gateway Session Profile (Session Server) and blank the Single Sign On Domain field

NetScaler Gateway > Click Session Policies

Select the policy and edit the profile
Ensure Single Sign-on Domain is empty
Ensure your google email matches your AD User Logon Name
If not you can add a new UPN for the domain from Active Directory Domains and Trusts
Add any Additional UPN suffix you may require to match your google email sign-in

Configure StoreFront to Delegate Authentication to NetScaler

Step Description Screenshot
Open Citrix Studio or StoreFront management
Select your Store and left click Manage Authentication Methods
Click Passthrough from NetScaler Gateway > Configure Delegated Authentication
Click OK
Note: You will need to trust requests sent to the DDC XML Ports for all DDC Servers.


RDP to each Delivery Controller as a Citrix or local administrator

Open Powershell

type ‘asnp Citrix*’

type ‘Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $true

Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $true

Note: You can verify if this was successful by running get-brokersite

If you want to learn more about Citrix NetScaler check out our online NetScaler course at www.mastersof.cloud

Sign-up to the Mastersof.cloud mailing list below to receive a free 200 page Citrix NetScaler Introduction guide!

[mc4wp_form id=”2763″]

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.