Introduction
Based on simplicity with JWT tokens delivered through OAuth2 flows, OpenID Connect has become the leading standard for single sign-on of the Internet.
In this scenario, Citrix ADC acts as OpenId Connect SP protecting a web application with Google Identity Plaform acting as Identity Provider. Citrix ADC leverages it’s Content Switching capability to unify load-balancing and authentication virtual server behind a single public IP to avoids multiple public endpoints and multiple certificates (or wildcard certificates).
OpenID Connect code flow is used in this scenario for optimal security. An initial browser redirection redirects user to the Google Identity Provider for user authentication and consent. User is provided with a grant code which is then forwarded to Citrix ADC which use it through a back-channel request to retrieve the ID token from Google Identity Provider . This flow offers optimal security, as tokens are kept in the datacenter and never forwarded to the browser.
