Jump to content
Welcome to our new Citrix community!

Is it possible to apply SAML2 authentication for admin login to NetScaler WebUI ?


Mark Nickolai 2

Recommended Posts

  • 4 weeks later...

This will be a two step process to explain.

The thing is that Microsoft used something called ADAL in the past.

ADAL is now End of Life. End of support and since march 23 no longer even patched for security fixes.

Whenever you obtain a saml assertion from Azure IDP you are talking with ADAL in Azure.

MSAL is the new Auth framework. it is not possible to obtain a saml assertion from MSAL Endpoints in Azure since MSAL does not support SAML.

This link show ADAL = End Of Life, End of security patches.

https://learn.microsoft.com/en-us/azure/active-directory/develop/msal-migration

Furthermore follow this link and read Microsoft`s answer that they do not support SAML on MSAL.

https://learn.microsoft.com/en-us/answers/questions/1074499/is-it-possible-to-use-msal-access-token-in-saml-fl

Adding a very important thing in regards to using OAuth as an IDP in Azure:

You have to use the v2 version since v1 = ADAL.

v2 endpoint is something like this:

https://login.microsoftonline.com/organizations/oauth2/v2.0/ = MSAL

https://login.microsoftonline.com/organizations/oauth2/v1.0/ = ADAL

Yeah they really keep us busy.. This topic is a big challenge for the producers of applications i host behind netscaler.

They are soo proud they can finally say "Now we support SAML" ... And im like "oh noes.. here we go again" .... 1 week with meetings and discussions with their dev team they go "ok, fuck" "we get it now"...

Link to comment
Share on other sites

But the real cool thing is: Netscaler supports it :D on everything but CAG.. Netscaler can even be an OAuth 2.0 V2 MSAL API Gateway with bearer token cache. That means you can protect legacy API´s using Netscaler without rewriting backend code only clientside which is possible.. Changing legacy backend API´s = Forget it.. 10 years ++ dev work for the devs

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...