In the first part of our series, we presented an internal FAS Use Case about how to implement a simple two-factor authentication with vSmartCard generated in the background without users requiring a real SmartCard or multiple authentication.
In comparison with the internal use case we use this time the STS (Microsoft Active Directory Service) and a NetScaler Gateway for the connection from the internet to our internal system. External, the authentication goes through the Identity Provider via SAML. The internal SSO works like in the internal use case.
Use case #2: External (AD FS as IdP):
- The user calls the NetScaler Gateway Portal and, if not yet authenticated, is redirected to the SAML Identity Provider.
- The user authenticates at the identity provider via Active Directory integration and MFA (multi-factor authentication), whereupon a SAML Token is signed and passed to the user.
- This authenticates the user against the NetScaler Gateway Portal, which validates the SAML Token.
- The NetScaler then uses this SAML Token to verify the identity of the user (Name ID Attribute).
- StoreFront contacts the Federated Authentication Service (FAS) to generate a Certificate for the authenticated user.
- The Federated Authentication Service (FAS) talks with the Active Directory Certificate Service (AD CS) to generate a Client-Certificate (vSmartCard) for the authenticated user. At this moment the FAS holds both, the Client-Certificate and the private key.
- From now on, if the authenticated user contacts the VDA, the VDA authenticates the user to the FAS and redeems the certificate.
In the third part of this series we look at a use case with an external system as IdP and show how B2B Account Mapping can be realized.
Until then, we look forward to your suggestions, comments, experience and criticism.
If you are new to our series of articles on Citrix FAS here are the links to our previously published articles:
#1: Internal use case