Skip to main content

Citrix StoreFront 3.9 (SP-initiated) Integration Guide


Use this guide to enable Multi-Factor Authentication and Single Sign-on (SSO) access via SAML to Citrix StoreFront 3.9.


1. Have Citrix StoreFront 3.9

2. Create a New Realm for the Citrix StoreFront integration in the SecureAuth IdP Web Admin v9.1+

3. Configure the following tabs in the Web Admin before configuring the Post Authentication tab:

  • Overview– the description of the realm and SMTP connections must be defined

  • Data– an enterprise directory must be integrated with SecureAuth IdP

  • Workflow– the way in which users will access this application must be defined

  • Multi-Factor Methods– the Multi-Factor Authentication methods that will be used to access this page (if any) must be defined

Web Admin Configuration Steps



1. In the Profile Fields section on the Data tab, map the UPN attribute (userPrincipalName) to an available Property – e.g. Aux ID 5 is selected in this example


Click Save once the configuration has been completed and before leaving the Data page to avoid losing changes

Post Authentication

Post Authentication


2. Select SAML 2.0 (SP Initiated by Post) Assertion from the Authenticated User Redirect dropdown

The unalterable Authorized/SAML20SPInitPost.aspx URL appears in the Redirect To field – this URL will append to the domain name and realm number in the address bar

User ID Mapping


3. Select the Property from the User ID Mapping dropdown – this is the Property to which the Profile Field containing the UPN attribute was mapped in step 1 (in this example, Aux ID 5)

4. Select urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified from the Name ID Format dropdown (default)

Or select a different option – if Citrix requires it – provided by the Service Provider (SP)

5. Select False from the Encode to Base64 dropdown

SAML Assertion / WS Federation


6. Set SAML Consumer URL to the same value configured on the Citrix Metadata file for the AssertionConsumerService Binding – e.g.

See directions for downloading the StoreFront metadata file in the Citrix StoreFront Configuration Steps below

7. Set WSFed / SAML Issuer URL to the EntityID configured on the Citriux StoreFront Metadata file – e.g.

8. Set the SAML Offset Minutes to compensate for differences in the time set on the devices

9. Set the SAML Valid Hours to limit the length of time for which the SAML assertion is valid

10. Set Sign SAML Assertion to True

11. Download the Assertion Signing Certificate, export it as Base64, and store it on a local PC to be used by Citrix StoreFront


Click Save once the configuration has been completed and before leaving the Post Authentication page to avoid losing changes

Citrix StoreFront Configuration Steps


1. Start Citrix StoreFront

2. Select Stores from the Citrix StoreFront tree menu on the left pane

3. On the middle pane, select the store to be configured

Details appear on the pane below


4. Select Manage Authentication Methods on the Actions pane to the right


5. In the Manage Authentication Method s window, enable the SAML Authentication Method

6. Click the gear icon – located under Settings for SAML Authentication – and select Identity Provider


7. Select Post from the SAML Binding dropdown to specify how StoreFront initiates the SAML flow with SecureAuth IdP

8. In the Address field, enter the redirect URL – the SecureAuth IdP appliance's Fully Qualified Domain Name (FQDN) – which will be used to send the initial request, and append the Citrix-integrated realm followed by /secureauth.aspx

-- e.g.

9. Click Import to import the assertion signing certificate downloaded from the SecureAuth IdP realm in step 11 of the SecureAuth IdP Configuration Steps

10. Click OK


11. Locate the Store URL on the Details pane

12. Copy this URL and paste it in a browser address bar with Citrix/NAMEofStoreFrontAuth/SamlForms/serviceprovider/Metadata appended after the URL

-- e.g.

13. Download the metadata file

Note the values for EntityID and AssertionConsumerService Binding appear in this file – these can be used in the SecureAuth IdP configuration