Home » saml

Tag: saml

AppStream Domain Joined SAML Fleet not authenticating after AD domain prompt


A customer had an AD Domain joined fleet and configured through SAML (the only way you CAN log into an AD joined fleet) and after the password prompt the session was looping and asking for their domain credentials over and over again.


After investigating the provided troubleshooting steps something was still blocking the AD joined fleet from logging in at the domain password prompt, though authentication was fine for the Image builders.





As a prerequisite for AD Domain joined fleets you cannot have an AD Logon banner displayed as it prevents the AppStream service from connecting into / accessing the streamed desktop.

In some scenarions customers will have the logon banner only display for Users and not Administrators (so you never see the prompt on an Image builder for example even if its in the same OU and of course the GPOs dont apply when accessing the Image builder with the built in AppStream administrator/template user/test users.

Snippet from the Prerequisites Page specific to this scenario: (please use the above URL for the most up to date information)

Group Policy Settings

  • Computer Configuration > Administrative Templates > Windows Components > Windows Logon Options > Disable or Enable software Secure Attention Sequence — Set this to Enabled for Services.
  • Computer Configuration > Administrative Templates > System > Logon > Exclude credential providers — Ensure that the following CLSID is not listed: e7c1bab5-4b49-4e64-a966-8d99686f8c7c
  • Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options > Interactive Logon > Interactive Logon: Message text for users attempting to log on — Set this to Not defined.
  • Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options > Interactive Logon > Interactive Logon: Message title for users attempting to log on — Set this to Not defined.

As part of a simple deployment or for your simple proof of concepts we recommend you simply ensure the OU your AppStream computer objects are being created under has GPO inheritance blocked and there are no higher level GPOS forced to apply. Get the service running and confirmed as accessible and then slowly start applying the company requried GPOS for look feel and security.

Enabling SAML Authentication for AWS AppStream 2.0 with OKTA

OKTA – Create Application

Step Description Screenshot
PRQ Generate metadata from Okta
 1 Be sure to be accessing the ‘Classic UI’ and not the developer console

2 Click Add Applications
3 Search for ‘appstream’

Click Add

4 Provide Application label

Click Done

 5 Click Sign On tab
6 Click Identity Provider metadata

Save the metadata file locally (you will upload this to AWS configuration)

AWS – Create SAML Provider

Step Description Screenshot
PRQ Generate metadata from Okta (above steps)
 1 Open AWS Console

Click IAM

2 Click Identity Providers

Click Create Provider

 3 Choose Provider Type: SAML

Give Provider a Name: <Name>

Upload your okta_metadata.xml file

4 Click Create

Note your ProviderARN

5 You will be taken back to the identity providers screen
6 Click on the provider name ‘Okta’

Take note of your Provider ARN

AWS – Create Policy and Role

Step Description Screenshot
7 In IAM Click Policies

Click Create Policy

8 Click Create Your Own Policy
 9 Give your policy a recognisable Name, Description and paste the policy details as provided

This will give users access to all published stacks

You can change the resource from* to your specific stacks like this:

“Resource”: “arn:aws:appstream:REGION-CODE:ACCOUNT-ID-WITHOUT-HYPHENS:stack/STACK-NAME“,

10 Policy Details:

This gives users access to stream AppStream apps and to access all Stacks and resources within.

“Version”: “2012-10-17”,
“Statement”: [
“Effect”: “Allow”,
“Action”: “appstream:Stream”,
“Resource”: “*”,
“Condition”: {
“StringEquals”: {
“appstream:userId”: “${saml:sub}”,
“saml:sub_type”: “persistent”
11 Click Roles

Click Create Role

 12 Click Saml 2.0 federation
13 Select your SAML Provider created previously

Tick ‘Allow programmatic access only’

Type in Attribute ‘SAML:aud’

Value: https://signin.aws.amazon.com/saml

Click Next: Permissions

 14 Select the Previously created AppStream Policy

Click Next: Review

 15 Click Create Role
16 Click onto the Role Name and take note of the ARN


OKTA – Configure Application

Step Description Screenshot
17 Take your ARN from both steps 12 and 22

And combine them separated with a comma

I.e. roleARN,providerARN


For example if your Role ARN is:

arn:aws:iam::123456789012:role/OktaAppStreamUsers and your IDP ARN is arn:aws:iam::123456789012:saml-provider/OKTA, enter (no white spaces):


18 In the Okta Console under your Application

Click the Sign On tab

19 Click Edit
20 Provide the Default Relay State for your appstream sessions


Appstream infrastructure is based in Ireland eu-west-1

AppStream stack is called Appstream

Account id is 123456789123

Our Relay State URL example


See AWS Documentation

21 Provide the Role ARN and Idp ARN


Select Application username format: Okta username

 22 Click Save
 23 Assign this application to your Okta users

Click Assignments Tab

Click Assign to People/groups

Click Assign button against each Okta user you want to have access to this new app.


Okta Guide –


AWS Guide – http://docs.aws.amazon.com/appstream2/latest/developerguide/external-identity-providers-setting-up-saml.html#external-identity-providers-grantperms

Configure NetScaler Gateway SAML to Google with Citrix Federated Authentication


 * Citrix FAS Service installation
 * XA/XD 7.6 or newer
 * StoreFront 3.6 or newer (I’ve tested with 3.9)
 * SAML Provider acting as the iDP (Google in this instance)
 * NetScaler Gateway configured as the SAML Service Provider (SP)
 * Active Directory Certificate Services
 * Access to edit Windows GPOS and OUs to assign the CFAS service its service location

Install The Citrix Federated Authentication Service (CFAS)

Step Description Screenshot
Mount the XA/XD ISO on your server and select the Federated Authentication Service
Read the license agreement and make your choice
Click Next
Click Next
Click Install
Click Finish
Create the GPO to point the FAS server to itself (see step 9)

When the GPO exists the ‘address’ field will be filled in for you automatically

Copy the Citrix ADMX files from C:\Program Files\Citrix\Federated Authentication to Active Directory

c:\windows\policydefinitions Service\PolicyDefinitions


Edit group policy to have the server point to itself for FAS

open gpmc.msc

browse to Computer > Administrative Templates: Policy> Citrix Components > Authentication

Enter the DNS server address of the server hosting the FAS service (as per screenshot)

Note: the VDA(s), the StoreFront and the FAS server all need to have this policy applied

run gpupdate /force
Right click the CFAS Administration console and always Run As Administrator
You should now have the CFAS server listed

Click OK

Click on Step 1 – Start Button
Click OK
You can verify the creation of the templates in ADCS
Once this is completed without errors click Start on Step 2
Click OK
Finally click Start on Step 3
Click OK
The console is waiting for the request to be approved (issued) from the AD Certificate Services
Log into the ADCS and Approve the pending Certificate request

Right click the Pending request

Select All Tasks

Select Issue

Step 3 will go green
Click the User Rules tab and configure CA, CT and Access Control Lists if appropriate
Click Edit and Add the StoreFront Server to be able to use the ‘rule’

Remove domain computers as they will be set to ‘deny’

Click Apply

Create NetScaler SAML Policy to 3rd Party iDP (Google)

In this section we will create a new SAML Policy for the NetScaler to use Google as the SAML iDP.

Note: this cannot currently be bound to a Gateway when using the NetScaler RFWebUI ‘theme’.

Step Description Screenshot
Connect to admin.google.com
Click Apps
Click SAML Apps
Click the + to add a new SAML Application
Select Setup my own custom app
Take note of the IDP data you are provided and copy and paste your URL

Be sure to DOWNLOAD the Certificate and save this for uploading to the NetScaler later.

Describe your new app
Note: the default ACS URL for the NetScalers must have a trailing /cgi/samlauth
Click Finish

Summary of the App SSO Setup in the Google admin panel
Be sure to enable the new Application

click the three dots


ON for everyone

Note: this new configuration will take up to 24 hours to be available. Prior to this being ready you may get a ‘user not found’ message.

Note: users will have access to a shortcut to this new app in their Google Console
Upload the Google IDP Certificate to the NetScaler
Install the CA Certificate
Here you can see the certificate installed as another CA Certificate
Expand NetScaler > Security>AAA – Application Traffic>Policies>Authentication>Basic Policies>SAML>Policies>Servers

Enter appropriate details for your new SAML profile

Note: the redirect URL and Single Logout URL will be unique to your Google account

Create a new SAML Authentication Policy

set the expression of this policy to ns_true

Link that to the newly created Google SAML Server

Bind this policy to your NetScaler Gateway

Click the + against Basic Authentication

Note: You may need to remove other Authentication policies (like LDAP) from the bound authentication before adding the SAML policy as the Primary method.

Choose SAML

Choose Primary

Click Continue

Select the SAML binding
Edit the NetScaler Gateway Session Profile (Session Server) and blank the Single Sign On Domain field

NetScaler Gateway > Click Session Policies

Select the policy and edit the profile
Ensure Single Sign-on Domain is empty
Ensure your google email matches your AD User Logon Name
If not you can add a new UPN for the domain from Active Directory Domains and Trusts
Add any Additional UPN suffix you may require to match your google email sign-in

Configure StoreFront to Delegate Authentication to NetScaler

Step Description Screenshot
Open Citrix Studio or StoreFront management
Select your Store and left click Manage Authentication Methods
Click Passthrough from NetScaler Gateway > Configure Delegated Authentication
Click OK
Note: You will need to trust requests sent to the DDC XML Ports for all DDC Servers.


RDP to each Delivery Controller as a Citrix or local administrator

Open Powershell

type ‘asnp Citrix*’

type ‘Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $true

Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $true

Note: You can verify if this was successful by running get-brokersite

If you want to learn more about Citrix NetScaler check out our online NetScaler course at www.mastersof.cloud

Sign-up to the Mastersof.cloud mailing list below to receive a free 200 page Citrix NetScaler Introduction guide!

[mc4wp_form id=”2763″]