The Progress Kemp Edge Security Pack (ESP) is the LoadMaster’s Frontend Authentication engine. The currently supported authentication methods for Citrix StoreFront are Form Based (if LDAP or RADIUS is configured) or SAML for Single Sign On. Various RADIUS MFA (Multi-Factor Authentication) and SAML MFA solutions are supported.

  • For SAML authentication, you must configure using the PowerShell script and configure SAML on your StoreFront server. To configure StoreFront servers for SAML, refer to this knowledge base article from Citrix: How to configure SAML Authentication - Manual Configuration?
  • SAML for StoreFront also requires a "Federated Authentication Service" (FAS). This is to prevent your application requesting credentials after connecting. To configure, refer to this Citrix knowledge base article: Federated Authentication Service.
  • Your IDP must be configured for two applications. One for the LoadMaster and one for StoreFront. This is because they both require two different response URLs. The LoadMaster URL is /Citrix/STOREWeb, and the StoreFront URL is /Citrix/StoreAuth/SamlForms/ServiceProvider/Metadata.
  • For more information on SAML for LoadMaster, refer to the SAML Feature Description.
  • Currently, we support both OTP and Push as second factors when authenticating in a web browser. When authenticating using Workspace/Receiver, we only support Push as a second factor. This requires your Internal URL to be the same as the External URL.