For a recent project, we needed users to log on with their accounts from a new domain and then be able to launch a CVAD desktop using SSO within an old legacy domain. In this blog, I’ll describe the steps I took to get this up and running.
First, let us briefly describe the components that were going to be used. Although it’s listed below, I won’t be covering the Citrix FAS configuration in this post. The main focus will be on configuring Authentik SAML in combination with a Citrix NetScaler.
- Authentik as the SAML IdP
- Citrix NetScaler as the SAML SP
- Citrix Federated Authentication Service (FAS) to enable single sign-on (SSO) for CVAD
- The
sAMAccountNamein the legacy domain was different from thesAMAccountNamein the new domain
First, make sure your directory is up and running in Authentik. I’ll be configuring the new domain as an “LDAP Source” for this. In Authentik, go to the menu and select Directory, then choose Federation and Social Login. Next, click Create and add an LDAP Source. For now, just go with all the default settings — we’ll adjust the necessary options later. If you need additional information on how to configure this, take a look at: https://docs.goauthentik.io/docs/users-sources/sources/directory-sync/active-directory/. Verify that your domain users are synced with Authentik and are visible under Directory → Users.
With the LDAP source set up, let’s start with the modification we need to make: handling the different sAMAccountName. In the new domain, all users have a custom domain attribute called employeeNumber, which contains their sAMAccountName from the old domain. This additional domain attribute needs to be added to the LDAP source we just created. From the menu, select Customization, then Property Mappings. Next, click Create, and choose LDAP Source Property Mapping as the type. Give the property mapping a meaningful name and enter the expression that best fits your use case. In my case, I want to retrieve the attribute called employeeNumber, and if it doesn’t exist, I’ll fall back to sAMAccountName. This ensures that employeeNumber is not null.
Go back to the LDAP source you created earlier and edit it. Within the LDAP source, scroll down to the User Property Mappings section and make sure the newly created property mapping is selected.
Force an LDAP sync and check one of the synchronized users in Authentik to verify that the newly added employeeNumber attribute is indeed available. As shown in the screenshot, next to my user account [email protected], my old sAMAccountName “rink123”, which was stored in the employeeNumber attribute, is also visible.
Next, we need to create another property mapping, this time a SAML Provider Property Mapping. The expression will use the previously retrieved employeeNumber attribute, and, just to be safe, fall back to the username if employeeNumber is not available.
With LDAP and all the property mappings set up, we can now proceed to create the actual Authentik SAML provider. From the menu, select Applications → Providers, then click Create and choose SAML Provider as the type. The most important values to configure are:
- Authorization Flow: default-provider-authorization-explicit-consent
- ACS URL: https://mynsgw.new.domain/cgi/samlauth
- Issuer: netscaler-authentik
- Service Provider Binding: POST
- Invalidation Flow: default-provider-invalidation-flow
- Signing Certificate: a valid certificate from a (internal) trusted CA
- Property Mapping: select the SAML property mapping you created earlier
- NameID Property Mapping: also select the SAML property mapping you created earlier
Next, we create the SAML Provider application. From the menu, go to Applications → Applications and click Create. Give the application a meaningful name and select the SAML provider we created earlier.
Now that everything is set up within Authentik, we need to grab some information required for the Citrix NetScaler. Go back to the created provider and select it to view its configuration. Then, scroll down to the section called Related Object. Click Download Signing Certificate. For now, we’ll configure it manually, but there is also the option to download the metadata or copy the download URL. This can be imported into the NetScaler without the need to fill in all the required values manually.
From the SAML Configuration section, grab the following values:
- EntityID / Issuer
- SSO URL (POST)
- SLO URL (POST)
We can now switch over to the Citrix NetScaler and configure it as a SAML Service Provider (SP). On the NetScaler side, there are multiple ways to set this up. For simplicity, I will use basic policies, but this can also be done using advanced policies or by configuring an AAA server.
Let’s browse to Security > AAA – Application Traffic > Policies > Authentication > Advanced Policies > Actions > Servers, and add a new SAML server. The following values, grabbed from the Authentik server, should be provided here:
- Redirect URL* = SSO URL (POST)
- Single Logout URL = SLO URL (POST)
- SAML Binding = POST
- Logout Binding = POST
- IDP Certifcate = Import the “signing certifcate” exported from Authentik
- Signing Certificate Name = Select a NetScaler certificate with private key
- Issuer Name = EntityID / Issuer
After the SAML server has been created, switch to SAML Policies and create a simple policy with the expression ns_true.
With the SAML policy in place, the last thing we need to configure is the actual NetScaler Gateway (or AAA server), which should use Authentik as the IdP. In this example, I’ll open my NetScaler Gateway and bind the previously created SAML policy. Make sure no other authentication policies are active.
The last thing we need to do is test the complete configuration. To do this, browse to the NetScaler Gateway URL. The NetScaler will forward you to the Authentik login screen, and after you successfully authenticate, it will redirect you back to the NetScaler Gateway. The NetScaler will then automatically log you on and forward your request to Citrix StoreFront, which will present all your available resources. When you, for example, launch an application or desktop, Citrix StoreFront will use the user certificate to authenticate and launch the CVAD resource.
Well, that’s it! Hopefully, this will be useful for configuring your own setup. The screenshots and configurations were created and tested using Authentik 2025.6.0 and NetScaler build 14.1.43.50.