For a recent project, we needed users to log on with their accounts from a new domain and then be able to launch a CVAD desktop using SSO within an old legacy domain. In this blog, I’ll describe the steps I took to get this up and running.

First, let us briefly describe the components that were going to be used. Although it’s listed below, I won’t be covering the Citrix FAS configuration in this post. The main focus will be on configuring Authentik SAML in combination with a Citrix NetScaler.

  • Authentik as the SAML IdP
  • Citrix NetScaler as the SAML SP
  • Citrix Federated Authentication Service (FAS) to enable single sign-on (SSO) for CVAD
  • The sAMAccountName in the legacy domain was different from the sAMAccountName in the new domain
Read More →

For my home lab environment, I use Authentik as my Identity Provider. Authentik is an open-source authentication and authorization platform that enables Single Sign-On (SSO), identity management, and multi-factor authentication (MFA) via protocols like OAuth, SAML, and LDAP. For various applications, such as the Citrix NetScaler, I use RADIUS for secondary authentication. All my Authentik users have a TOTP token in their authenticator app, which I want to use for RADIUS authentication. While configuring RADIUS in Authentik, I found the available documentation somewhat limited, and it took considerable effort to achieve a working RADIUS setup. This blog describes all the steps I followed to get RADIUS successfully running within Authentik.

For this guide, I used Authentik version 2024.10.1. I assume you already have a working Authentik setup where users already have a TOTP authenticator code available.

Read More →