Citrix Single Sign-On Overview - GoToAssist Service Desk

Find an Answer

Search GoToAssist Service Desk articles, videos and user guides   Your search term must have 2 or more characters.

Browse Articles

Citrix Single Sign-On Overview

Citrix supports authentication into Citrix products through trusted external SAML identity providers using SAML 2.0 Single Sign-On (SSO). Both Service Provider (SP)-initiated and Identity Provider (IdP)-initiated SSO flows are supported. To implement SAML 2.0 SSO, the Citrix SAML SP service and the external SAML IdP must be configured to trust each other.

You can use Active Directory Federation Services (v 2.0v 3.0), trusted third-party providers, or configure a SAML trust relationship for Citrix products.

Back to Single Sign-On Contents

This document covers:

Citrix SAML SSO Dependencies

The Citrix SAML Service is dependent on four systems to carry out SAML 2.0 Single Sign-On. Check the dependency numbers below for detail on how the dependency is used.

 

Central Authentication Service (CAS)

SAML service depends on CAS to generate an auto-login ticket during the assertion processing at the end of step 10 in SAML 2.0 SSO. It messages the CAS API, http://<CASHost>/rest/autoLoginTicket?authenticationToken=<authToken>.

Account Service

SAML service depends on Account Service to take action on step 6 and step 10 in the SAML 2.0 SSO to resolve SAML configuration from an Account Service Organization or Account. SAML Service will first try to resolve the SAML configuration by querying for a SAML configured Organization at https://<AccountServiceHost>/account/v2/organizations?domains=<domainFromEmailAddress>.

If no SAML configuration is found, then SAML service will try searching for SAML configured Account by first querying https://<AccountServiceHost>/account/v2/users?email=<emailAddress> to obtain User for its accountKey attribute. Then using that accountKey to obtain an Account at https://<AccountServiceHost>/account/v2/accounts/<accountKey>?attributeNames=<accountAttributes>.

In addition, at end of step 10 the User key is obtained from the call to https://<AccountServiceHost>/account/v2/users?email=<emailAddress> to pass in the call described in dependency 3.

Authentication Service

SAML service depends on Authentication Service at the end of step 10 to generate an authentication token by querying http://<authenticationServiceHost>/authentication-service/tokens, passing in the User.key and getting back an authentication token to pass in the call described in dependency 1.

SAML IdP

Not a true dependency, but SAML Service needs an IdP to execute SSO. SAML Service uses a SAML IdP in SSO to carry out the redirects in step 7 and step 10. Examples of SAML IdPs are ADFS (v 2.0 | v 3.0), and the third-party IdPs, SecureAuth, Azure, Onelogin, Okta, etc.

SAML SSO Service Provider-Initiated Flow

Service Provider Initiated Steps

1. Browser requests to sign into a Central Authentication Service (CAS) client like https://gotomeeting.com or OAuth at the authorization endpoint (https://authentication.citrixonline.com/oauth/authorize), using the implicit flow or authorization code flow.

2. Browser is redirected to CAS, passing along the client's service URL (e.g. https://login.citrixonline.com/login?service=https://global.gotomeeting.com).

3. CAS displays login page.

4. User decides to authenticate through a trusted external identity provider and clicks the Use my Company ID link on the CAS login page which directs the browser to the Citrix SAML service, and sends the CAS client service URL (e.g. https://login.citrixonline.com/saml/sp/client?service=https://global.gotomeeting.com).

5. SAML service displays the IdP discovery page, prompting the user to submit an email address that will be used to resolve the target identity provider.

6. User submits an email address. SAML service uses the email address to search for a SAML configured Organization or Account. The resolved SAML configuration contains the target identity provider's single-sign-on URL which the SAML Service will send a SAML authentication request to.

7. SAML service redirects the browser to the target IdP's single-sign-on URL, sending a signed SAML authentication request along for the ride. SAML service also sends another parameter called the RelayState in SAML syntax, set to the CAS client service URL.

8. IdP validates the authentication request, ensuring that its coming from a trusted service provider, before requesting user credentials.

9. User submits credentials which are validated by the IdP.

10. Browser is redirected to the SAML service assertion consumer service URL (e.g. https://login.citrixonline.com/acs), sending a SAML authentication response with an assertion along for the ride (also sends the RelayState). SAML Service parses the assertion for the subject's email address and uses it to resolve the SAML configuration (like in step 6). The assertion is validated using the resolved SAML configuration, including the assertion's signature, using the certificate stored in the SAML configuration. SAML service sets the SAMLC cookie for use in SAML 2.0 Single Logout. Using the CAS API, SAML Service generates an auto-login ticket for the subject of the assertion.

11. SAML service redirects browser to CAS, passing the auto-login ticket and service URL (picked up from RelayState). Example URL, https://login.citrixonline.com/login?service=https://global.gotomeeting.com&ticket=AL-22470-dGKbM1vLxdXNWWzwOzJr-cas1ed1svc1.cs.qai.expertcity.com-CAS1.

12. CAS verifies the auto-login ticket, creates a TGT and ST. CAS sets the CASTGC cookie and redirects browser back to the CAS client service URL, passing the ST. Example URL, https://global.gotomeeting.com/?ticket=ST-22600-FVqt0tZGfcgfWHnDfcYm-cas1ed1svc2.cs.qai.expertcity.com-CAS1.

SAML SSO Identity Provider-Initiated Flow

Identity Provider Initiated Steps

1. Browser requests to sign into an IdP.

2. IdP offers browser option to sign into a Citrix product using IdP-initiated SAML 2.0 SSO.

3. User initiates the IdP-initiated SSO.

4. Browser is redirected to the SAML service assertion consumer service URL(e.g. https://login.citrixonline.com/acs), sending a SAML authentication response with an assertion along for the ride (also sends RelayState configured at IdP). SAML Service parses the assertion for the subject's email address and uses it to resolve the SAML configuration. The assertion is validated using the resolved SAML configuration, including the assertion's signature, using the certificate stored in the SAML configuration. SAML service sets the SAMLC cookie for use in SAML 2.0 Single Logout. Using the CAS API, SAML Service generates an auto-login ticket for the subject of the assertion.

Note: If a RelayState is not passed from IdP to SAML Service in this step, the SAML Service sets the MyAccount page URl as the service parameter in step 5.

5. SAML service redirects browser to CAS passing the auto-login ticket and service URl (picked up from RelayState). Example URL, https://login.citrixonline.com/login?service=https://global.gotomeeting.com&ticket=AL-22470-dGKbM1vLxdXNWWzwOzJr-cas1ed1svc1.cs.qai.expertcity.com-CAS1.

6. CAS verifies the auto-login ticket, creates a TGT and ST. CAS sets the CASTGC cookie and redirects browser back to the CAS client's service URL, passing the ST. Example URL, https://global.gotomeeting.com/?ticket=ST-22600-FVqt0tZGfcgfWHnDfcYm-cas1ed1svc2.cs.qai.expertcity.com-CAS1.