Multi Factor Authentication (MFA) is an extra layer of security used when logging into websites or apps. Individuals are authenticated through more than one required security and validation procedure that only you know or have access to.
Citrix StoreFront™ is an enterprise application store that provides an interface for users to access Citrix Workspace™ desktops and applications remotely. Acceptto is a Citrix Ready Partner integrates with Citrix StoreFront via its SAML solution and provides single sign-on (SSO) MFA to ensure customers use the convenience of cloud SSO without its potential security risks.
- An Acceptto Appliance connected to your user directory (for example Microsoft™ ‘Active Directory™’).
- The user population that is going to be authenticated via SAML must be enrolled in the It’sMe™ mobile Application.
- A user with administrative privileges for the Citrix StoreFront.
- A user with administrative privileges for the Acceptto Appliance.
Getting your Citrix StoreFront information
On the StoreFront server, open an elevated PowerShell™ and run the command asnp citrix* to load the Citrix modules.
Once the modules are loaded, run the below command to fetch the Service Provider Information (Remember to change the value of “/Citrix/Store” with the virtual path of your Store).
$storeVirtualPath = "/Citrix/Store" $auth = Get-STFAuthenticationService -Store (Get-STFStoreService -VirtualPath $storeVirtualPath) $spId = $auth.AuthenticationSettings["samlForms"].SamlSettings.ServiceProvider.Uri.AbsoluteUri $acs = New-Object System.Uri $auth.Routing.HostbaseUrl, ($auth.VirtualPath + "/SamlForms/AssertionConsumerService") $md = New-Object System.Uri $auth.Routing.HostbaseUrl, ($auth.VirtualPath + "/SamlForms/ServiceProvider/Metadata") $samlTest = New-Object System.Uri $auth.Routing.HostbaseUrl, ($auth.VirtualPath + "/SamlTest") Write-Host "SAML Service Provider information: Service Provider ID: $spId Assertion Consumer Service: $acs Metadata: $md Test Page: $samlTest"
The sample output of the above command looks like this:
SAML Service Provider information: Service Provider ID: https://StoreFront™.example.com/Citrix/StoreAuth Assertion Consumer Service: https://StoreFront™.example.com/Citrix/StoreAuth/SamlForms/AssertionConsumerService Metadata: https://StoreFront™.example.com/Citrix/StoreAuth/SamlForms/ServiceProvider/Metadata Test Page: https://StoreFront™.example.com/Citrix/StoreAuth/SamlTest
Acceptto SAML Configuration as an Identity Provider (IdP)
Login to the Acceptto Appliance admin panel with an administrative account and go to Applications.
Create a new application by selecting the Create New Application.
In the Add Application dialog, enter the following values ( Advanced Options button allows additional optional configuration):
App Name - the application name to be displayed in the admin panel and application portal. For example, Citrix
Issuer or Entity ID - The Issuer/EntityID of your StoreFront instance you got from the previous section. For example,https://StoreFront.example.com/Citrix/StoreAuth
Sign in URL - The link used by your users to access the StoreFront. Like, https://StoreFront.example.com/
Metadata URL - The URL containing metadata about your StoreFront instance you got from the previous section. For example, https://StoreFront.example.com/Citrix/StoreAuth/SamlForms/ServiceProvider/Metadata
ACS URL - The StoreFront post-back URL you got from the previous section. For example, https://StoreFront.example.com/Citrix/StoreAuth/SamlForms/AssertionConsumerService
Click Save to create the Application.
Select the Show ID Provider Data and copy the information shown on this page.
Configure Citrix StoreFront as Service Provider (SP)
On the StoreFront console, enable the SAML Authentication under the Manage Authentication Methods.
Open an elevated PowerShell on StoreFront™ server and run the below commands (Remember to change the value of “/Citrix/Store” with the virtual path of your Store).
Get-Module "Citrix.StoreFront*" -ListAvailable | Import-Module $StoreVirtualPath = "/Citrix/Store" $store = Get-STFStoreService -VirtualPath $StoreVirtualPath $auth = Get-STFAuthenticationService -StoreService $store Update-STFSamlIdPFromMetadata -AuthenticationService $auth -FilePath "File path of the metadata file you downloaded from Acceptto”
Test your setup
Go to your Citrix StoreFront URL. You will be redirected to the Acceptto SAML page.
After successful authentication, you’ll see the Acceptto MFA options and need to select your desired method and pass the verification stage on your It’sMe mobile app.
Finally, you will be redirected to your Citrix StoreFront landing page.
If you require assistance, please email us at email@example.com
Want to learn more about our MFA solutions? Contact our Professional Services for a Demo today.
All product names, trademarks, and registered trademarks are the property of their respective owners.
All company, product, and service names used in this document are for identification purposes only. Use of these names, trademarks, and brands does not constitute endorsement by the Acceptto Corporation.
Citrix, NetScaler, and ‘Netscaler Gateway’ are either registered trademarks or trademarks of Citrix and/or one or more of its subsidiaries in the United States and/or other countries.
Microsoft and 'Active Directory' are either registered trademarks or trademarks of Microsoft and/or one or more of its subsidiaries in the United States and/or other countries.