Skip to main content

System requirements

Using SAML authentication on Gantner Cloud

Why using SAML authentication

Some customers prefer to launch the remote Recreatex application, hosted on the GantnerCloud server, with their own credentials (i.e. authenticate against their own environment). This can be achieved by using SAML authentication.

Sequence of SAML authentication
SAML_steps_scheme.png

  1. The user goes to the website http://loginfas.syxcloud.com and enters his/her email address.

  2. The Citrix ADC (Application Delivery Controller) directs the unauthenticated user directly to the Identity Provider (IdP) of the customer (based on the suffix of the email address) to authenticate the user.

  3. The Identity Provider (IdP) redirects the user to its single sign-on service URL where the user must authenticate, using a two-factor authentication.

  4. The user enters his AD credentials which are verified by the Identity Provider (IdP) against the user database.

  5. Upon successful verification in the user database, the Identity Provider (IdP) is informed.

  6. The Identity provider (IdP) issues a token (SAML assertion message confirming that the user is logged in) and sends it to the Gantner Service Provider in form of a response (saml: response).

  7. The Citrix ADC (Application Delivery Controller) component checks the token (assertion signature) and extracts the user's login address (UPN) from it. This allows the user to access remote applications using single sign-on (SSO). Citrix FAS (Federated Authentication Service) takes care of the authentication within the Citrix environment.

    The Service Provider does not need the access to the user’s credentials, instead a shadow user is used to launch the application.

Customer-specific requirements to configure SAML authentication

The customer needs to provide the following to configure SAML authentication:

  • Identity Provider (IdP) SAML token-signing certificate

  • Redirect URL

  • Logout URL

  • List of usernames (UPN format)

  • Identity Provider (IdP) of the customer must use two-factor authentication

Remarks

  • Compatible Identity Providers (IdP) - Azure AD, ADFS. Other Identity Providers are expected to be compatible but have not been tested yet by Gantner.

  • When using SAML authentication, it is no longer possible to share one Citrix user account for multiple users (unless they share a user account on their local system). A Citrix user account has to be created for each individual user who wants to log in to Gantner Citrix environment. This may result in additional license cost for customers currently sharing licenses among multiple users.

  • As the customer is responsible for the two-factor authentication, there is no need to purchase Vasco tokens anymore.

  • Setup cost of 2 man days (fixed price) or possibility to calculate as time & material.

In this section: