Yes, I am back, sorry but due to a lot of work, I has not had the time to write new blogs.
This blog is about using EntraID with SAML for the NetScaler authentication. To configure this I normally look at this: https://www.deyda.net/index.php/en/2023/09/08/saml-authentication-between-citrix-microsoft-with-azure-mfa/. Thanks to Manuel Winkel for writing a good blog post on how to configure this.
I was called out to a customer to change their authentication to SAML with EntraID. I did the configuration as described in Manuel’s blog post. When we tested it worked for some user but failed for other users, whit the Storefront error:
In Citrix Storefront this is basically a “General Error”. Something went wrong but we don’t know what.
After some investigation I found that the users that were failing did not have matching SamAccountName and UserPrincipalName. When we configure SAML with EntraID we are sending the UserPrincipalName as the login to the Citrix Storefront, but the domain was not able to log the users on. After searching for a way to change this a found a lot of people writhing about the same problem, but no solutions.
I found a way to send the SamAccountName from EntraID to the NetScaler in the SAML response by configuring the following.
I the EntraID Enterprise Application change this:
Change to “user.onpremisessamaccountname”
In the NetScaler SAML Profile I set this:
After changing this all users were able to logon and getting there Citrix Application/Desktops.