Using the Edge Browser on a corporate device (Azure AD joined) its local and over the internet possible to cooperate with the AD. (For Google Chrome the Windows 10 Account PlugIn is needed)
With Azure AD its also possible to publish own Apps.
After the SSO to Azure AD, SAML 2.0 claims SSO from NetScaler and the traffic continues to flow as described in the internal use case.
This use case is an example literally without a concept of a “employee in the company”. The laptops are registered and authenticate fully over the internet with Azure AD functions. These infrastructure – like shown in this example – work everywhere where a IP address is available. Local, via a hosted provider, Azure or another cloud provider. The user itself never have contact with his SmartCard which work securely in the background for him.
Use Case #4: Azure AD joined devices use case:
Traffic Flow:
- The user calls the NetScaler Gateway Portal, and this redirect him to Microsoft Azure AD.
- With domain joined devices and supporting browsers there will make the SSO. Otherwise the company authentication will happen.
- The user gets her signed SAML Token from the Identity Provider (IdP).
- The NetScaler let the user with the SAML Token pass.
- The NetScaler then uses this SAML Token to verify the identity of the user (Name ID Attribute) versus the StoreFront. StoreFront ask the Federated Authentication System (FAS) for the authenticated user certificate.
- FAS talks with the Active Directory Certificate Service (AD CS) which deliver the user certificate. At this moment the FAS holds both, the Client-Certificate and the private key.
- From now on, if the authenticated user contacts the VDA, the VDA authenticates the user to the FAS and redeems the certificate.
If you are new to our series of articles on Citrix FAS here are the links to our previously published articles:
#1: Internal use case
#2: External use case with an AD FS as IdP
#3: Federated Use Case (some external system as IdP)