Setup Form-based SSO with Citrix MetaFrame

By following these instructions, you will configure the standard resource Citrix MetaFrame Presentation Server with an NFuse host with form-based Single Sign-On.

Please note that in these instructions, Citrix MetaFrame is added as a standard resource. The standard resource automatically uses a dynamic tunnel to access the resource. As a result, Citrix scripts nfuse15.wascr and nfuse16.wascr (that change the real IP of the NFuse server that the client receives in the .ICA file to 127.0.0.1 and 127.0.0.1:1494 respectively) should not be used. Also note that the use of dynamic tunnels entails that administrator rights are required on the client (unless using the installable version of the Access Client, installed by administrator).

To avoid the need for administrator rights on the client, or if running on Linux, a static tunnel must be used to access the resource which means that the standard resource for Citrix can not be used. When static tunnels are used, the Citrix wascr script/-s are required.

The instruction consists of the following steps, to be performed in this order:

  1. Add standard resource of the type Citrix MetaFrame Presentation Server

  2. Edit advanced resource settings

  3. Add SSO domain

  4. Add resource path

Add Standard Resource of the Type Citrix MetaFrame Presentation Server

  1. In the main menu, select Manage Resource Access and then click Standard Resources in the left-hand menu.

  2. Select Citrix MetaFrame Presentation Server and enter general settings.

Example:
Display Name: citrix sso

  1. Click Next.

  2. Enter Citrix Web server settings.

Example:
Citrix Web Server: <your Citrix server's IP address>

Keep default port.

  1. Enter Citrix MetaFrame Server settings.

Example:
Citrix MetaFrame Server 1: <your Citrix server's IP address>

Keep default port.

  1. Enter Portal Settings and click Next.

  2. Protect the resource host with applicable access rules and click Next.

Please refer to Add Access Rules for instructions when needed.

  1. Click Finish Wizard.

Edit Advanced Resource Settings

  1. In the left-hand menu, select Manage Resource Access.

  2. In the Web Resources section, select "citrix sso" and then click the Edit Resource Host link.

  3. Select the Advanced Settings tab.

  4. Enter Access Settings:

Example:
Select the Forward cookies between client and resource checkbox
Cookies to Check: NFuseFolder,NFuseMode,icaClientCode,icaObjectCode,icaClientAvailable,icaBrowserCode,icaScreenResolution
Action: Allow

  1. Click Save and then click Publish in the top menu.

Add SSO Domain

  1. In the left-hand menu, select SSO Domains.

Please refer to Add SSO Domains for general instructions.

  1. Add domain attributes:

Example:
Attribute Name: User name
Attribute Restriction: Editable
Referenced By: User input

Example:
Attribute Name: Password
Attribute Restriction: Editable
Referenced By: User input

Example:
Attribute Name: Domain
Attribute Restriction: Hidden
Referenced By: Static
Attribute Value: citrixssotest

  1. Click Next.

  2. Protect the SSO domain with applicable access rules and click Next.

  3. Click Finish Wizard.

Add Resource Path

  1. In the left-hand menu, select Manage Resource Access.

  2. In the Web Resources section, select "citrix sso" and then click the Add Resource Path link.

  3. Enter general settings.

Example:
Path: citrix/metaframe/default/default.aspx

  1. Enter Single Sign-On settings:

Example:
Select the Enable Single Sign-On checkbox.
Single Sign-On Type: Form based
SSO Domain: "citrix sso"

  1. Click Next.

  2. Enter Logon Form settings:

Example:
Method: POST
Form Action (URL): http://<your Citrix server's IP address>/Citrix/MetaFrame/default/login.aspx?ClientDetection=On
Form Data: state=LOGIN&LoginType=Explicit&user=[$username]&password=[$password]&domain=[$domain]&login=Log+In

  1. Enter Verification of Logon Response settings:

Example:
Verification URL: http://<your Citrix server's IP address>/Citrix/MetaFrame/default/default.aspx
Form Response: applist

  1. Click the Add Client Request Header link.

  2. Enter general settings and click Next.

Example:
Header: User-Agent

  1. Click Next.

  2. Protect the resource path with applicable access rules and click Next.

  3. Click Finish Wizard and then click Publish in the top menu.