Jump to content
Welcome to our new Citrix community!

Pulling username from SAML assertion for Netscaler to act as a WebAuth proxy server

Recommended Posts

I've got an authentication setup that I'm not 100% sure about the best way to proceed. Here's the setup:

  • Shibboleth as SAML IdP (working)
  • Netscaler as SAML SP (working)
  • Application server back end load balanced by the Netscaler (working)
  • use netscaler to pull username from SAML assertion (need to do)
  • use netscaler to act as a WebAuth server to provide authentication to the application server back end (need to do)

I found some documentation on using Netscaler as a WebAuth client but not as a server at https://www.citrix.com/blogs/2015/06/05/netscaler-web-based-authentication/ and at https://support.citrix.com/article/CTX200819/how-to-configure-netscaler-for-web-authentication-with-vasco-and-use-the-extracted-attributes-for-sso-to-storefront .

The main thing is that I'm not sure how to pull the username out of the SAML assertion and then have the Netscaler act as if it is a WebAuth server for when the back-end application server is configured for WebAuth authentication.

For reference, here is the application's documentation on setting up WebAuth:



Mike K.

Link to comment
Share on other sites

So you could give it a try with expression "AAA.USER.NAME". Did not try it yet but the description looks like match. Just found this some days ago.

image.png.436a4021bc9c8feffdde80ee20279217.pngAnother way when assuming you are using Azure Enterprise Apps. Try creating a custom entry in SAML SSO settings under "Attributes & Claims" for example name "MyCustomUPN" and value "user.userprincipalname". In your SAML server/action add this attribut to form field "Attributes" under "More" (comma seperated list if you have more then one). So this value is then requested via SAML This received attribute can then be used in expressions after the SAML auth is done like "AAA.USER.ATTRIBUTE("MyCustomUPN"). This will not work with the default attributes. Did only work with custom ones for me!

Hope that helps somehow or points you in some right directions.

Link to comment
Share on other sites

  • 2 weeks later...
  • 4 weeks later...

Thank you both for your suggestions. I've tried both a traffic authorization policy and a rewrite policy to insert a http header but neither one is passing the user information to the back-end server.

To be clear, the SAML authentication works fine but when after that once we're redirected to the back-end server, the user is prompted to login again by the back-end server because it doesn't know which user is coming in through that session.

Link to comment
Share on other sites

  • 4 weeks later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...