Practical example (B2B Account Mapping):
One Company buys another and the employees should be able to authenticate themselves with their account data from one company by the other company, without spending much attention on the account management.
If two companies will use the computer systems of each other it is recommended to establish a federated connection between the two SAML Identity Providers (Active Directory Federation Service as example). This allow the users a seamless log in at the AD environment of the other company.
In both companies the users can use their own credentials, whereupon AD FS automatically map a shadow account at the other company.
Traffic flow:
- The user calls the NetScaler Gateway Portal and this redirect him to the SAML Identity Provider. In this case this is an external hosted system in the AWS cloud.
- The user authenticates at the identity provider. A SAML Token will be generated and passed to the user.
- The NetScaler let the user with the SAML Token pass.
- The NetScaler then uses this SAML Token to verify the identity of the user (Name ID Attribute) versus the StoreFront.
Hint: External users’ needs AD accounts! We must build alternative UPNs in our domain with the domain from the other AD environment (see screenshot).
- The NetScaler ask the Federated Authentication Service (FAS) about the certificate for the authenticated user.
- FAS talks with the Active Directory Service to generate the certificate. At this moment the FAS holds both, the Client-Certificate and the private key.
- From now on, if the authenticated user contacts the VDA, the VDA authenticates the user to the FAS and redeems the certificate.
In our fourth and last part of the series we look at a Azure AD joined devices use case.
Until then, we look forward to your suggestions, comments, experience and criticism.
If you are new to our series of articles on Citrix FAS here are the links to our previously published articles:
#1: Internal use case
#2: External Use Case with AD FS as IdP