Recently, more enterprises are migrating to a cloud-based application deployment model. Thanks to cloud-based services such as Microsoft Office 365, this migration has accelerated. Cloud-based app deployment provides significant added value, but at the same time, it changes the underlying infrastructure for the enterprise. One of the critical services enterprise IT teams worry about is authentication for users connecting from within and outside the organization.

When migrating to the cloud, enterprises want to ensure the user experience does not change. However, seamless access to services hosted outside the enterprise data center requires a new component in app deployment design. No one wants the Active Directory password to travel on the wire outside the data center. Therefore, federation becomes a natural and proven alternative. Referring to primarily to Microsoft services, Active Directory Federation Services (ADFS) is the solution you are looking for. The ADFS security token service extends the single sign-on, (SSO) experience for Active Directory-authenticated clients to resources outside the enterprise data center.

Microsoft ADFS 3.0 server farm allows internal users to access external cloud-hosted services. But the moment external users are brought into the mix, they must be given a way to connect remotely and access cloud-based services through federated identity. This is where an ADFS proxy plays a major role – giving external users SSO access to both internal federation-enabled resources as well as cloud resources such as Office 365. The purpose of the ADFS proxy server is to receive and forward requests to ADFS servers that are not accessible from the Internet. The ADFS proxy plays critical role in remote user connectivity and application access. Citrix ADC, formerly NetScaler has been playing similar roles – remote user connectivity and application access – for more than a decade. Citrix ADC has the right technology to enable secure connectivity, authentication and handling of federated identity, and thus it becomes the preferred solution for replacing an existing ADFS proxy or supporting a new ADFS implementation. Most enterprises want to reduce the footprint in the DMZ, and hence, they appreciate the fact that, in addition to its traditional functions, Citrix ADC can serve as ADFS proxy. This approach avoids the need to deploy an additional component in the DMZ.

Packet flow of how the ADFS proxy helps with external user access:

• External user accesses internal or external applications enabled by ADFS.
• User is redirected to the applicable federation service for authentication.
• User is redirected to the enterprise’s internal federation service.
• User is connected to the ADFS proxy in the DMZ and is presented with a sign-on page.
• ADFS proxy takes inputs from the external user and connects to the ADFS farm.
• ADFS proxy presents external user credentials to the ADFS farm.
• ADFS server authenticates the external user with enterprise Active Directory.
• ADFS server returns authorization cookie with a signed security token and claims.
• ADFS proxy sends the token and claim information to external user.
• User connects to the federation service where the token and claims are verified.
• Based on validation, the federation service provides the user with a new security token.
• The external user provides the new authorization cookie with security token to the resource for access.

In most use cases you will run ADFS and the ADFS proxy farm, which would require load balancing and scale with high availability. If you are using the Citrix ADC, formerly NetScaler ADC for load balancing of your ADFS proxy farm and other key services, only one additional step is needed to set up Citrix ADC as a replacement for the ADFS proxy farm. This means Citrix ADC does not just play the ADC role, but also assumes ownership of the processes performed by the ADFS proxy for external user access scenario.

Citrix ADC is a proven remote access solution for the DMZ. Admin can use the AAA for Traffic Management (AAA-TM) feature of Citrix ADC to fulfill the ADFS proxy use case while other product security features add to the overall value of this solution.

Packet flow of how Citrix ADC as ADFS proxy helps with internal/external user access:

• Internal/external user access to Office 365 application is enabled by ADFS.
• User is redirected to the applicable federation service for authentication.
• User is redirected to the enterprise’s internal federation service.
• Internal user is load balanced to the ADFS farm.
• External user connects to Citrix ADC AAA-TM logon page.
• User is authenticated against Active Directory or similar authentication service.
• Post authentication, Citrix ADC does SSO (Kerberos/NTLM) to the ADFS farm.
• ADFS server validates SSO credentials and returns STS token.
• External user connects to the federation service where the token and claims are verified.
• Based on validation, the federation service provides the user with a new security token.
• External user provides authorization cookie with security token to the resource for access

Here both internal and external users can go through the Citrix ADC path with the only difference being that external users are required to pre-authenticate with the Citrix ADC AAA-TM module. For this access scenario, the AAA-TM vserver must be set up on Citrix ADC for pre-authentication. Internal users can be directly load balanced to the ADFS server farm.

Benefits of using Citrix ADC as ADFS proxy

• Caters to both load balancing and ADFS proxy needs
• Works with both internal and external user access scenarios
• Supports rich methods for pre-authentication
• Provides an SSO experience for end users
• Supports both active and passive protocols
       a Examples of active protocol apps – Outlook, Lync
       b.Examples of passive protocol apps – Outlook web app, browsers
• Hardened device for DMZ-based deployment
• Adds value with additional core ADC features
       a. Content Switching
       b. SSL offload
       c. Rewrite
       d. Responder
       e. Rate Limit
       f. Security