Federated Authentication Service Configuration
Federated Authentication Service (FAS) provide single sign-on to VDAs using certificate authentication. This is useful when using authentication methods such as SAML, where StoreFront does not have access to the Active Directory credentials.
Enable FAS for a Store
Before enabling FAS for a store, you must configure the list of FAS servers using Group policy. For more details see FAS documentation.
To enable FAS for a store, you must use the PowerShell cmdlet Set-STFStoreLaunchOptions to set the VDA logon data logon provider to FASLogonDataProvider.
By default, StoreFront selects the FAS server at launch. You can change this so that StoreFront selects the FAS server at login. This has the advantage that it avoid delays that can occur at launch, particularly if a FAS server is unavailable so it has to try multiple FAS servers. However it has the disadvantage that if the FAS server becomes unavailable between login and launch then the launch either fails or falls back to username and password authentication (see FAS server unavailability). To configure the behavior, run PowerShell cmdlet Set-STFClaimsFactoryNames with parameter ClaimsFactoryName. To choose the FAS server at login, set it to FASClaimsFactory. To restore the default behavior and choose a FAS server at launch, set it to standardClaimsFactory.
For example to enable FAS for a store and select the server at login:
$store = Get-STFStoreService -VirtualPath [VirtualPath]
$auth = Get-STFAuthenticationService -StoreService $store
Set-STFStoreLaunchOptions -StoreService $store -VdaLogonDataProvider "FASLogonDataProvider"
Set-STFClaimsFactoryNames -AuthenticationService $auth -ClaimsFactoryName "FASClaimsFactory"
<!--NeedCopy-->
To disable FAS for a store:
$store = Get-STFStoreService -VirtualPath [VirtualPath]
$auth = Get-STFAuthenticationService -StoreService $store
Set-STFStoreLaunchOptions -StoreService $store -VdaLogonDataProvider ""
Set-STFClaimsFactoryNames -AuthenticationService $auth -ClaimsFactoryName "standardClaimsFactory"
<!--NeedCopy-->
Substitute [VirtualPath] for the appropriate virtual path, e.g. /Citrix/Store.
When using username and password authentication on a store with FAS enabled, StoreFront always uses FAS rather than the supplied credentials for single sign-on.
FAS server unavailability
If the FAS server is unavailable the launch fails by default. However, you can configure StoreFront such that if the FAS server is unavailable, users can sign on to the VDA by entering their credentials. To change the configuration use Powershell cmdlet Set-STFStoreLaunchOptions with parameter FederatedAuthenticationServiceFailover. For example to enable fail over for a store:
$storeService = Get-STFStoreService -VirtualPath [VirtualPath]
Set-STFStoreLaunchOptions $storeService -FederatedAuthenticationServiceFailover $True
<!--NeedCopy-->