Skip to main content

System requirements

SAML authentication

Why use SAML authentication on Vintia Cloud

Some customers prefer to launch the remote Recreatex application, hosted on the VintiaCloud server, with their own credentials (i.e. authenticate against their own environment). This can be achieved by using SAML authentication.

Sequence of SAML authentication
SAML_steps_scheme.png

  1. Users navigate to the desired environment (1) login.vintia.cloud (production) or login-test.vintia.cloud (test) and enter their username (2).

  2. The Citrix ADC (Application Delivery Controller) directs the unauthenticated user directly to the Identity Provider (IdP) of the customer (based on the suffix of the email address) to authenticate the user.

  3. The Identity Provider (IdP) redirects the user to its single sign-on service URL, where the user must authenticate using two-factor authentication.

  4. The user enters his AD credentials, which are verified by the Identity Provider (IdP) against the user database.

  5. Upon successful verification in the user database, the Identity Provider (IdP) is informed.

  6. The Identity provider (IdP) issues a token (SAML assertion message confirming that the user is logged in) and sends it to the Vintia Service Provider in the form of a response (saml: response).

  7. The Citrix ADC (Application Delivery Controller) component checks the token (assertion signature) and extracts the user's login address (UPN) from it. This allows the user to access remote applications using single sign-on (SSO). Citrix FAS (Federated Authentication Service) takes care of the authentication within the Citrix environment.

    The Service Provider does not need access to the user’s credentials, instead, a shadow user is used to launch the application.

Customer-specific requirements to configure SAML authentication

The customer needs to provide the following to configure SAML authentication:

  • Identity Provider (IdP) SAML token-signing certificate

  • Redirect URL

  • Logout URL

  • List of usernames (UPN format)

  • The identity Provider (IdP) of the customer must use two-factor authentication

Remarks

  • Compatible Identity Providers (IdP) - Azure AD, ADFS. Other Identity Providers are expected to be compatible but have not been tested yet by Vintia.

  • When using SAML authentication, it is no longer possible to share one Citrix user account with multiple users (unless they share a user account on their local system). A Citrix user account must be created for each user who wants to log in to the Vintia Citrix environment. This may result in additional license costs for customers currently sharing licenses among multiple users.

  • As the customer is responsible for the two-factor authentication, there is no need to purchase OneSpan (Vasco) tokens anymore.

  • Setup cost of 2 man days (fixed price) or possibility to calculate as time & material.

In this section: