In the earlier article How to combine multiple Citrix environments within different domains I discussed the possibilities to combine multiple Citrix environments available within different domains. With one of the solutions was based on SAML authentication, which has the disadvantage that you still have two access points. In this article I will go into more details which options you have to combine such a solution into a single portal.
Citrix StoreFront?
In this article I will focus on the Citrix NetScaler Gateway as this was the case at the customer I was working on this issue. In this specific situation we were only allowed to connect to the NetScaler Gateway as entrance point. With Citrix StoreFront you can also use SAML authentication and I think the options in this article are also viable for Citrix StoreFront where the end user experience probably will be a bit better which some of the solutions (but not tested so no guarantees).
Website Shortcuts
Probably one of the features not used a lot of people. Website shortcuts is available within the Storefront Receiver for Web settings. With this feature you can create URLs for each Published Desktop and/or Application, which can be used to start the desktop or application from an intranet website or similar.
Within the customer we thought that this could be our solution for providing a single point of entrance. By adding the shortcuts as Published Content in the primary Citrix infrastructure from the second environment (by replacing the StoreFront address by the NetScaler address) all applications will be shown in one portal. When a user clicks such a shortcut the user will be redirected to the second NetScaler and both are using the same SAML authentication the user is automatically logged on and the application will be started. That was the idea at least. Unfortunate it is completely working as we expected. The first time a user selects an application from the second environment the user is not known and the NetScaler will forward the user to the SAML authentication page. The IDP is noticing that the user is already known and reports that back the to the NetScaler. However the NetScaler does not know the starting URL anymore and will show the default landing page configured in the NetScaler Gateway (which is by default the StoreFront portal page).
In other words the first time the application is not actually started, but the application/desktop portal page is shown in a different tab within the browser. The second (and following) the application is directly started as the initial authentication does not take place anymore. However for each application an additional tab was opened showing the application icon (which was started automatically). This could lead to some unclearness a the customers if that tab is shown (while the user expect to see al icons). If using the available StoreFront navigations on this page, you will go back the default portal page (of the second infrastructure only). We tried to work around this behavior by using rewrite, conditions and so on, but unfortunate we could not find a solution (I need to thank Henry Heres for example investigating this behavior).
I tested this with default username and password authentication within StoreFront and then it is working fine. It looks like this feature is not made with NetScaler Gateway in mind. At the end is workable and we also created a small script within Receiver.html that closes down the tab automatically when logging into the first time (this is based on a suggestion of Workspace365, which will be discussed in the next paragraph).
Third Party products
Secondly we looked at other product that could offer the same functionality. We found three products that looks like they could do the job. During discussing this with the suppliers of these products it became clear that one did not supported Citrix XenDesktop at this moment (RDP only). The second one needed to connect directly to StoreFront for enumerating the icons and as the second infrastructure was an ASP based platform, they (logically) did not agree with that and we did not invest more time in this solution. So we only kept one candidate Workspace365. Workspace365 is mainly available for providing a single point of entrance for all Office365 services. The guys I have talked to of Workspace365 were really cooperative and we discussed the options and possibilities thoroughly. With this solution we would have another entrance point in which from both environments the icons needed to be created. Technically there is a requirement for using Azure Active Directoy (AAD) at this moment, otherwise the SSO is not supported/working. Also the HTML5 client need to be added to the StoreFront servers and some additional javascript of Workspace365 are required.
Unfortunate Workspace 365 is actually suffering the same issue as the Website Shortcuts, at the first initial logon the default portal page is shown. As both environments are now in a different portal, this behavior will be shown twice (as there are now two NetScaler involved where authentication will take place when the icon is selected). As mentioned at Website Shortcuts this was discussed with Workspace365 and they came up with the script solution to close the tab at the initial logon. With this in mind the user experience are pretty comparable with eachother, the advantage of Workspace365 is that the tabs (the second and following applications) are automatically closed when the application is started.
Update: After releasing the article I was pinged by Anton van Pelt that New Day at Work just released a knowledgebase article in which they have a solution for the first start issue if we you are running NetScaler/ADC 10.x or higher (https://support.workspace365.net/hc/en-us/articles/360013839854-Configure-seamless-single-sign-on-with-Citrix).
Summarization
At the end we could not find a solution that works as we were hoping for. Workspace 365 offers additional functionality by closing the tabs automatically, but is causing that the users will have two times the initial logon. Also some additional files are required on StoreFront where the ASP was not really happy with and logically it will add additional costs a another product is required. So for now the customer decided to use the Website shortcuts and accept the disadvantage of the initial logon and the tabs that keep open. They are hoping that it is acceptable for the end-user, which is currently in the test phase. It would be nice if the Website Shortcut feature will also fully work with the NetScaler (or there is a solution that we could not find), so if someone from Citrix is reading this article ߘꮦlt;/span>