Salesforce SAML SSO deployment in Citrix cloud Step-by-Step guide

As Citrix admins, we always aim to provide the best end-user experience. Citrix Workspace integrates modern authentication protocols like SAML, to provide Single Sign On (SSO) to SaaS and Internal Web Apps. It provides a seamless SSO experience when accessing any workspace apps by removing username and password prompt.

The idea of this blog is that you can deploy (for free) a real SAML SSO SaaS app integration using a Salesforce developer account in less than 20 minutes. This will allow you to gain some knowledge on identity SAML SP integration in Citrix Cloud.

We have been using these deployments for our internal demos. We are continuously working with customers to provide these capabilities. This Salesforce SAML implementation will build good foundational knowledge on App identity deployment in Citrix cloud.

End User Experience: SSO to Salesforce

Requirements

  • Citrix cloud account with Secure Private Access entitlements
  • Any Identity provider: AD, AAD, Google, OKTA configured in Citrix cloud
  • A Salesforce developer account (info below)

Step by Step guide

The first part is creating a Salesforce Developer account, you will need to use a real email address (not necessary to be a registered domain, a Gmail or outlook will also work) and verify the account before accessing the SF portal: https://developer.salesforce.com/signup

Once you have access to your Salesforce account you need to look for your domain in the menu on the left. then you will find your Salesforce tenant URL, in my case is

https://azjavilab-dev-ed.develop.my.salesforce.com

Now we are going to Citrix Cloud Admin Portal to configure our brand new Salesforce app in Secure Private Access

We can use a template to configure Salesforce, but in my case, I am going to configure the app manually.

On the Single Sign-On configuration, we are going to select SAML.

Sing Assertion, Assertion and Relay state URL is going to use the URL of our Salesforce tenant https://azjavilab-dev-ed.develop.my.salesforce.com/

Name ID Format: Transient

Name ID: User Name

Now we move to the SAML metadata part. Here we can download an XML file with all our configurations that we can import later to Salesforce. The XML file includes the certificate that we need to import.

this is the structure of the XML file.

We move back to Salesforce and we look for the Single Sign-on Settings. We need to enable SAML configuration and then import from the metadata file. we will use the XML file downloaded from Citrix cloud.

Once imported all the fields will be populated and the you can safe your configuration,

Make sure you activate the HTTP POST.

You can also create a new configuration from a new field and copy the selected entity ID and application values inside Salesforce.

Once our Salesforce application is saved then we go back to citrix cloud to finish configuring the app.

The next step will be creating the access policy for the Salesforce app in citrix cloud and assign to the user.

Test user creation in Salesforce

Now we need to create a user that will match the email address of our users

In my case, I have user1@azjavilab.com as an Azure Active directory user, but doesn’t matter if your user is coming from on-prem AD, OKTA, AAD or google. we are going to federate this SAML authentication based on the email address, so if that matches SAML SSO will work

Make sure the test user/s are created in Salesforce and also you could verify if the user licence is correctly assigned (need Salesforce licence)

Once this step is finished we are ready for testing:

Troubleshooting tips

Inside Salesforce under the Single Sign-On Settings there is a SAML Assertion Validator that would help you to verify your configuration

Here are some tips:

  • Make sure the test user/s are created in Salesforce and also you could verify if the user licence is correctly assigned (need Salesforce licence)

The SAML decoder chrome extension is always very helpful to troubleshoot SAML issues

https://chrome.google.com/webstore/detail/saml-message-decoder/mpabchoaimgbdbbjjieoaeiibojelbhm

Advertisement

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.