Table of Contents

Citrix Netscaler SSO with PhenixID Authentication Services

Summary

This document will guide you through the steps to provide Single-Sign-On to Citrix Netscaler using SAML with PhenixID Authentication Services as SAML IdP. This is useful in these scenarios:

  • Authentication for external users
  • Provide authentication methods not available over Radius (for example certificates, username and PhenixID OneTouch)
  • Citrix Federated Authentication Services. In this scenario, PhenixID Authentication Services works as the SAML IdP.

System Requirements

  • PhenixID Authentication Services 2.0 or higher
  • Citrix Netscaler 11.0 or higher

Instruction

1. Set up PhenixID Authentication Services as SAML IdP

  1. Setup PhenixID Authentication Services as a SAML IdP using one of the Federation scenarios described here. (If the desired authentication method is not provided by a scenario, use the documentation for the SAML authenticator here)

  2. Download the IdP signing certificate to a file as described here.

  3. Open the IdP Metadata and get the value of the SingleSignOnService-Location.

    NA

  4. If SAML SLO is configured (see article SAML Identity Provider, or possibly SAMLLogout for a legacy IDP), get the SLO Post URL.

2. Configure Netscaler

  1. If there is not currently a Gateway VIP configured, consult this link: https://docs.netscaler.com/en-us/citrix-adc/current-release/networking/ip-addressing/configuring-citrix-adc-owned-ip-addresses/configuring-and-managing-virtual-ip-addresses-vips.html
  2. Create a SAML authentication policy.
  3. Bind the SAML policy as the only primary policy to the gateway VIP. Click Continue
  4. Open Traffic Management -> SSL -> Certificates -> CA Certificates.
  5. Install the certificate downloaded in step 1.2
  6. Open Netscaler Gateway -> Policies -> Authentication -> SAML
  7. Select Servers, then Add
  8. Set these properties:
    1. Name = Friendly name
    2. IDP Certificate name = Select the one installed in step 2.5
    3. Redirect URL = Value from step 1.3
    4. Single Logout URL = Value from step 1.4
    5. User Field = Name ID
    6. Signing Certificate Name = <Select the certificate (keypair) you would like to use as the signing certificate for the Netscaler SAML SP>
    7. Issuer Name = <Enter the name you would like to use as the entityID for the Netscaler SAML SP. For example: https://mynetscaler/samlsp>
    8. SAML Binding = POST
    9. Click More
    10. Signature algorithm = RSA-SHA256
    11. Create
  9. Open Netscaler Gateway -> Policies -> Authentication -> SAML
  10. Select Policies, then Add
  11. Set these properties:

    1. Name = <Friendly name>

    2. Server = <Select server created in 2.6>

    3. Expression = ns_true

      (<ns_true enables this policy to always be active when bound to a VIP. A more restrictive expression can be created to allow for more control over when this SAML policy is used and should be based on the customers need.>)

  12. Click OK to Create.
  13. Open Netscaler Gateway -> Virtual Servers
  14. Edit the virtual server you would like to bind SAML to
  15. Scroll down to Authentication
  16. Unbind any existing policies
  17. In the Authentication section, click the + sign
  18. Set these properties
    1. Choose policy = SAML
    2. Choose type = Primary
  19. Click Continue
  20. In the Policy Binding section, select the policy created in previous step
  21. Set the priority to 100
  22. Click Bind
  23. Click Done

3. Add Netscaler SAML SP Metadata to PhenixID Authentication Services

  1. Create Netscaler SAML SP Metadata XML file. Use the template data below and replace entityID and AssertionConsumerService URL. Place the text in a file using a text editor and save it as a xml file.

    <?xml version="1.0" encoding="UTF-8"?>
<EntityDescriptor entityID="<replace_this_with_value_set_in_step_2.6.7>" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
  <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
    <AssertionConsumerService index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
      Location="<replace_this_with: https://<citrix_netscaler_virtual_server_fqdn>/cgi/samlauth>>"></AssertionConsumerService>
  </SPSSODescriptor>
</EntityDescriptor>

  2. Upload the metadata file, see the article SAML SP Metadata Upload

Test

  1. Open a web browser
  2. Browse to Netscaler virtual server host
  3. You should be redirected to the Idp (PhenixID Authentication Services)
  4. Authenticate
  5. You should be redirected back to Netscaler
  6. You are now logged in to Netscaler.

Troubleshooting

If you are not sure whether you are logged in or not, pls view the Netscaler logs:

  1. Open Configuration -> Authentication -> Logs

  2. Under File to the left, select ns.log

  3. Wait for the system log messages to appear (this might take a while..)

  4. Scroll down to find the messages that correlates to the authentication attempt.

  5. Check the error message.

  6. After a successful authentication, Netscaler will produce a message with this information:

    NA

Single Sign-On Use Case: Integrate with external systems Use Case: Federation of web services Federation SAML 2 Identity Provider