Jump to content
  • NetScaler Gateway and Microsoft Azure Multi-Factor Authentication Part 4


    Guest
    • Validation Status: Validated
      Summary: NetScaler Gateway presents all hosted, SaaS, web, enterprise, and mobile applications to users on any device and any browser. It uses nFactor Authentication to authenticate users against on-premises Microsoft AD and leverages Microsoft AD FS for Azure Multi-Factor Authentication (MFA).
      Has Video?: No

    Continued from Part 3

    Configure an initial authentication flow

    Pattern Set - Gateway and AAA Hostname

    add policy patset PATSET_GATEWAY_HOSTHEADERbind policy patset PATSET_GATEWAY_HOSTHEADER access.ctxdemos.com -index 1 -charset ASCIIbind policy patset PATSET_GATEWAY_HOSTHEADER aaa.ctxdemos.com -index 2 -charset ASCII

    Policy Expression - Gateway and AAA Hostname

    add policy expression is_GATEWAY_HOSTNAME "HTTP.REQ.HEADER(\"Host\").TO_LOWER.CONTAINS_ANY(\"PATSET_GATEWAY_HOSTHEADER\")"

    Create Initialization Load Balancing vServer

    add lb vserver LBVS_SAML_SP_INITIALIZATION SSL 0.0.0.0 0 -persistenceType NONE -cltTimeout 180 -Authentication ON -authnProfile AAA_AUTH_PRFset ssl vserver LBVS_SAML_SP_INITIALIZATION -ssl3 DISABLED -tls1 DISABLED -tls11 DISABLED -tls13 ENABLED -ocspStapling ENABLED -HSTS ENABLED -maxage 157680000 -IncludeSubdomains YESbind lb vserver LBVS_SAML_SP_INITIALIZATION LBSVC_ALWAYS_UPbind ssl vserver LBVS_SAML_SP_INITIALIZATION -certkeyName CTXDEMOS_PUBLIC_CERTbind ssl vserver LBVS_SAML_SP_INITIALIZATION -cipherName CTXDEMOS_FRONTEND_APLUS

    Create Initialization Content Switching Policy and Action

    add cs action CSACT_SAML_SP_INITIALIZATION -targetLBVserver LBVS_SAML_SP_INITIALIZATIONadd cs policy CSPOL_SAML_SP_INITIALIZATION -rule "is_GATEWAY_HOSTNAME && HTTP.REQ.URL.PATH.TO_LOWER.STARTSWITH(\"/samltolb\")" -action CSACT_SAML_SP_INITIALIZATION

    Bind Content Switching Policies to NetScaler Gateway Content Switching vServer

    bind cs vserver CSVS_UGCTXDEMOS -policyName CSPOL_SAML_SP_INITIALIZATION -priority 500

    Create Initialization NetScaler ADC AAA Traffic Policy and Action and Bind it to Load Balancing vServer

    add tm samlSSOProfile AAATM_SAMLSSOPRF_VPN_TO_LB -samlSigningCertName CTXDEMOS_PUBLIC_CERT -assertionConsumerServiceURL "https://access.ctxdemos.com/cgi/samlauth" -relaystateRule "HTTP.REQ.URL.QUERY.VALUE(\"RelayState\")" -signatureAlg RSA-SHA256 -digestMethod SHA256 -Attribute1 Password -Attribute1Expr AAA.USER.PASSWD -Attribute2 Groups -Attribute2Expr AAA.USER.GROUPS -encryptAssertion ON -samlSPCertName CTXDEMOS_PUBLIC_CERTadd tm trafficAction AAATM_PRF_VPN_TO_LB -SSO ON -persistentCookie OFF -InitiateLogout OFF -kcdAccount NONE -samlSSOProfile AAATM_SAMLSSOPRF_VPN_TO_LBadd tm trafficPolicy AAATM_POL_VPN_TO_LB "HTTP.REQ.URL.STARTSWITH(\"/samltolb\")" AAATM_PRF_VPN_TO_LBbind lb vserver LBVS_SAML_SP_INITIALIZATION -policyName AAATM_POL_VPN_TO_LB -priority 100 -gotoPriorityExpression END -type REQUEST

    Cipher groups

    Create Cipher Group for Backend vServers
     

    add ssl cipher CTXDEMOS_BACKENDbind ssl cipher CTXDEMOS_BACKEND -cipherName TLS1.3-AES256-GCM-SHA384 -cipherPriority 1bind ssl cipher CTXDEMOS_BACKEND -cipherName TLS1.3-CHACHA20-POLY1305-SHA256 -cipherPriority 2bind ssl cipher CTXDEMOS_BACKEND -cipherName TLS1.3-AES128-GCM-SHA256 -cipherPriority 3bind ssl cipher CTXDEMOS_BACKEND -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384 -cipherPriority 4bind ssl cipher CTXDEMOS_BACKEND -cipherName TLS1.2-ECDHE-RSA-AES128-GCM-SHA256 -cipherPriority 5bind ssl cipher CTXDEMOS_BACKEND -cipherName TLS1.2-ECDHE-ECDSA-AES256-GCM-SHA384 -cipherPriority 6bind ssl cipher CTXDEMOS_BACKEND -cipherName TLS1.2-ECDHE-ECDSA-AES128-GCM-SHA256 -cipherPriority 7

    Create Cipher Group for Frondend vServers

    add ssl cipher CTXDEMOS_FRONTENDbind ssl cipher CTXDEMOS_FRONTEND -cipherName TLS1.3-AES256-GCM-SHA384 -cipherPriority 1bind ssl cipher CTXDEMOS_FRONTEND -cipherName TLS1.3-CHACHA20-POLY1305-SHA256 -cipherPriority 2bind ssl cipher CTXDEMOS_FRONTEND -cipherName TLS1.3-AES128-GCM-SHA256 -cipherPriority 3bind ssl cipher CTXDEMOS_FRONTEND -cipherName TLS1.2-ECDHE-ECDSA-AES128-GCM-SHA256 -cipherPriority 4bind ssl cipher CTXDEMOS_FRONTEND -cipherName TLS1.2-ECDHE-ECDSA-AES256-GCM-SHA384 -cipherPriority 5bind ssl cipher CTXDEMOS_FRONTEND -cipherName TLS1.2-ECDHE-ECDSA-AES128-SHA256 -cipherPriority 6bind ssl cipher CTXDEMOS_FRONTEND -cipherName TLS1.2-ECDHE-ECDSA-AES256-SHA384 -cipherPriority 7bind ssl cipher CTXDEMOS_FRONTEND -cipherName TLS1-ECDHE-ECDSA-AES128-SHA -cipherPriority 8bind ssl cipher CTXDEMOS_FRONTEND -cipherName TLS1-ECDHE-ECDSA-AES256-SHA -cipherPriority 9bind ssl cipher CTXDEMOS_FRONTEND -cipherName TLS1.2-ECDHE-RSA-AES128-GCM-SHA256 -cipherPriority 10bind ssl cipher CTXDEMOS_FRONTEND -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384 -cipherPriority 11bind ssl cipher CTXDEMOS_FRONTEND -cipherName TLS1.2-ECDHE-RSA-AES-128-SHA256 -cipherPriority 12bind ssl cipher CTXDEMOS_FRONTEND -cipherName TLS1.2-ECDHE-RSA-AES-256-SHA384 -cipherPriority 13bind ssl cipher CTXDEMOS_FRONTEND -cipherName TLS1-ECDHE-RSA-AES128-SHA -cipherPriority 15bind ssl cipher CTXDEMOS_FRONTEND -cipherName TLS1-ECDHE-RSA-AES256-SHA -cipherPriority 16bind ssl cipher CTXDEMOS_FRONTEND -cipherName TLS1.2-DHE-RSA-AES128-GCM-SHA256 -cipherPriority 17bind ssl cipher CTXDEMOS_FRONTEND -cipherName TLS1.2-DHE-RSA-AES256-GCM-SHA384 -cipherPriority 18bind ssl cipher CTXDEMOS_FRONTEND -cipherName TLS1-DHE-RSA-AES-128-CBC-SHA -cipherPriority 19bind ssl cipher CTXDEMOS_FRONTEND -cipherName TLS1-DHE-RSA-AES-256-CBC-SHA -cipherPriority 20

     

    Create Cipher Group for Frondend vServers - A+

    add ssl cipher CTXDEMOS_FRONTEND_APLUSbind ssl cipher CTXDEMOS_FRONTEND_APLUS -cipherName TLS1.3-AES256-GCM-SHA384 -cipherPriority 1bind ssl cipher CTXDEMOS_FRONTEND_APLUS -cipherName TLS1.3-CHACHA20-POLY1305-SHA256 -cipherPriority 2bind ssl cipher CTXDEMOS_FRONTEND_APLUS -cipherName TLS1.3-AES128-GCM-SHA256 -cipherPriority 3bind ssl cipher CTXDEMOS_FRONTEND_APLUS -cipherName TLS1.2-ECDHE-ECDSA-AES256-GCM-SHA384 -cipherPriority 4bind ssl cipher CTXDEMOS_FRONTEND_APLUS -cipherName TLS1.2-ECDHE-ECDSA-AES128-GCM-SHA256 -cipherPriority 5bind ssl cipher CTXDEMOS_FRONTEND_APLUS -cipherName TLS1.2-ECDHE-ECDSA-CHACHA20-POLY1305 -cipherPriority 6bind ssl cipher CTXDEMOS_FRONTEND_APLUS -cipherName TLS1.2-ECDHE-ECDSA-AES256-SHA384 -cipherPriority 7bind ssl cipher CTXDEMOS_FRONTEND_APLUS -cipherName TLS1.2-ECDHE-ECDSA-AES128-SHA256 -cipherPriority 8bind ssl cipher CTXDEMOS_FRONTEND_APLUS -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384 -cipherPriority 9bind ssl cipher CTXDEMOS_FRONTEND_APLUS -cipherName TLS1.2-ECDHE-RSA-AES128-GCM-SHA256 -cipherPriority 13bind ssl cipher CTXDEMOS_FRONTEND_APLUS -cipherName TLS1.2-ECDHE-RSA-CHACHA20-POLY1305 -cipherPriority 14bind ssl cipher CTXDEMOS_FRONTEND_APLUS -cipherName TLS1.2-ECDHE-RSA-AES-256-SHA384 -cipherPriority 15bind ssl cipher CTXDEMOS_FRONTEND_APLUS -cipherName TLS1.2-ECDHE-RSA-AES-128-SHA256 -cipherPriority 16

     

    Login schema XML file

    CTXDEMOS_USER_NAME_PASS.XML

    <?xml version="1.0" encoding="utf-8"?><AuthenticateResponse xmlns="http://citrix.com/authentication/response/1">    <Status>success</Status>    <Result>more-info</Result>    <StateContext/>    <AuthenticationRequirements>        <PostBack>/nf/auth/doAuthentication.do</PostBack>        <CancelPostBack>/Citrix/Authentication/ExplicitForms/CancelAuthenticate</CancelPostBack>        <CancelButtonText>Cancel</CancelButtonText>        <Requirements>            <Requirement>                <Credential>                    <ID>login</ID>                    <SaveID>ExplicitForms-Username</SaveID>                    <Type>username</Type>                </Credential>                <Label>                    <Text>User name</Text>                    <Type>plain</Type>                </Label>                <Input>                    <AssistiveText>Please supply username</AssistiveText>                    <Text>                        <Secret>false</Secret>                        <ReadOnly>false</ReadOnly>                        <InitialValue>${AAA.USER.NAME}</InitialValue>                        <Constraint>.+</Constraint>                    </Text>                </Input>            </Requirement>            <Requirement>                <Credential>                    <ID>passwd</ID>                    <SaveID>ExplicitForms-Password</SaveID>                    <Type>password</Type>                </Credential>                <Label>                    <Text>Password:</Text>                    <Type>plain</Type>                </Label>                <Input>                    <Text>                        <Secret>true</Secret>                        <ReadOnly>false</ReadOnly>                        <InitialValue/>                        <Constraint>.+</Constraint>                    </Text>                </Input>            </Requirement>            <Requirement>                <Credential>                    <ID>saveCredentials</ID>                    <Type>savecredentials</Type>                </Credential>                <Label>                    <Text>Remember my password</Text>                    <Type>plain</Type>                </Label>                <Input>                    <CheckBox>                        <InitialValue>false</InitialValue>                    </CheckBox>                </Input>            </Requirement>            <Requirement>                <Credential>                    <ID>loginBtn</ID>                    <Type>none</Type>                </Credential>                <Label>                    <Type>none</Type>                </Label>                <Input>                    <Button>Log On</Button>                </Input>            </Requirement>        </Requirements>    </AuthenticationRequirements></AuthenticateResponse>

    CTXDEMOS_USER_NAME_ONLY.XML

    CTXDEMOS_USER_NAME_ONLY.XML<?xml version="1.0" encoding="utf-8"?><AuthenticateResponse xmlns="http://citrix.com/authentication/response/1">    <Status>success</Status>    <Result>more-info</Result>    <StateContext/>    <AuthenticationRequirements>        <PostBack>/nf/auth/doAuthentication.do</PostBack>        <CancelPostBack>/Citrix/Authentication/ExplicitForms/CancelAuthenticate</CancelPostBack>        <CancelButtonText>Cancel</CancelButtonText>        <Requirements>            <Requirement>                <Credential>                    <ID>login</ID>                    <SaveID>ExplicitForms-Username</SaveID>                    <Type>username</Type>                </Credential>                <Label>                    <Text>User name</Text>                    <Type>plain</Type>                </Label>                <Input>                    <AssistiveText>Please supply username</AssistiveText>                    <Text>                        <Secret>false</Secret>                        <ReadOnly>false</ReadOnly>                        <InitialValue/>                        <Constraint>.+</Constraint>                    </Text>                </Input>            </Requirement>            <Requirement>                <Credential>                    <Type>none</Type>                </Credential>                <Label>                    <Text> Please submit credentials to continue Login ...</Text>                    <Type>confirmation</Type>                </Label>                <Input/>            </Requirement>            <Requirement>                <Credential>                    <ID>saveCredentials</ID>                    <Type>savecredentials</Type>                </Credential>                <Label>                    <Text>Remember my password</Text>                    <Type>plain</Type>                </Label>                <Input>                    <CheckBox>                        <InitialValue>false</InitialValue>                    </CheckBox>                </Input>            </Requirement>            <Requirement>                <Credential>                    <ID>loginBtn</ID>                    <Type>none</Type>                </Credential>                <Label>                    <Type>none</Type>                </Label>                <Input>                    <Button>Log On</Button>                </Input>            </Requirement>        </Requirements>    </AuthenticationRequirements></AuthenticateResponse>

    References

    Authentication to NetScaler using AD FS 4.0 on Server 2016, Citrix FAS, and Azure MFA in Azure Cloud. (2018). Retrieved from https://www.jgspiers.com/authentication-to-netscaler-using-ad-fs-4-0-server-2016-citrix-fas-azure-mfa-azure-cloud/

    Configure Azure MFA as authentication provider with AD FS. (2019). Retrieved from https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-and-azure-mfa

    Deploying a Federation Server Farm. (2017). Retrieved from https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/deploying-a-federation-server-farm

    Federated Authentication Service ADFS deployment. (Current). Retrieved from https://docs.citrix.com/en-us/federated-authentication-service

    Guide to deploying NetScaler as an Active Directory Federation Services Proxy. (n.d.). Retrieved from https://docs.netscaler.com/en-us/citrix-adc/current-release/aaa-tm/adfs-proxy-wsfed.html

    How it works: Azure Multi-Factor Authentication. (2018). Retrieved from https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks

    Planning a cloud-based Azure Multi-Factor Authentication deployment. (2019). Retrieved from https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-getstarted

    Tijl Van den Broeck. (Dec 7, 2017). ADFS v3 on Windows Server 2012 R2 with NetScaler. Retrieved from https://www.citrix.com/blogs/2015/05/29/adfs-v3-on-windows-server-2012-r2-with-netscaler/

    Transition to hybrid cloud and SaaS with Citrix Gateway. (n.d.). Retrieved from https://www.citrix.com/products/citrix-gateway/resources/netscaler-unified-gateway.html

    User sign-in with Azure Active Directory Pass-through Authentication. (2018). Retrieved from https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-pta


    User Feedback

    Recommended Comments

    There are no comments to display.



    Create an account or sign in to comment

    You need to be a member in order to leave a comment

    Create an account

    Sign up for a new account in our community. It's easy!

    Register a new account

    Sign in

    Already have an account? Sign in here.

    Sign In Now

×
×
  • Create New...