Jump to content
Welcome to our new Citrix community!

NetScaler as SAML IDP to Replace MS ADFS Server


Xavier Blackwood

Recommended Posts

Hi, 

 

I am trying to configure our NetScaler as a SAML IDP to replace our MS ADFS server. At a high level we want to use the native OTP feature that came with firmware 12 to provide MFA to internal and SaaS apps. I have the OTP feature working correctly with a newly created Unified gateway vServer. The goal is to logon once to the Unified gateway and have SSO to all apps behind it..

 

I'm not a SAML expert but do understand the concepts when done with MS ADFS. I'm just not sure where to begin on the NetScalers. 

 

Do I need a separate AAA Authentication vServer solely for SAML IDP stuff or just SAML IDP profiles and policies? If yes, does this need to be publicly accessible and is it the equivalent of ADFS https://FQDN/adfs/ls/idpinitiatedsignon.aspx ? Or does the Unified Gateway share the SAML web pages needed to the internet?

 

I just need to know where to start, the NetScaler documentation isn't very clear to a beginner. 

 

Link to comment
Share on other sites

You will create SAML IdP profiles and policies and bind those to a AAA servers.

 

You need to have something publicly accessible; in our environment we have a CSVS public and an internal AAA server behind that. This gives us more flexibility for any related authentication traffic that might first hit an LBVS instead of the AAA server.

 

The SAML endpoint on the Netscaler is https://FQDN/saml/login (it's not well documented). When /saml/login requests are handled by a AAA server, the SAML IdP policies will be processed after the authentication policies to validate/verify the user have completed.

 

Hope that gets you going in the right direction. Good luck.

Link to comment
Share on other sites

Hi Ross, 

 

Thank you for the reply... 

 

We already have a AAA vServer, do I need another solely for SAML duties or is it one AAA vServer handling all authentication, LDAP, SAML, OAth etc?

 

Is there any guide on the internet that you can recommend for Netscaler as an IDP? The Citrix docs are getting me nowhere.

 

Thanks..

Link to comment
Share on other sites

Hi Xavier,

 

I thought i needed/wanted the same as you but i eventually went a different way. I replaced our ADFS Proxy with ADC. If a user wants to open a SaaS application internally he is signed in directly because of our internal ADFS server. If a user logs on to a SaaS application remotely he is pointed to the ADC and has to log in with MFA,  after that he/she is signed in with SSO.

 

Regards.

 

Michel

Link to comment
Share on other sites

Hi Michel, 

 

Thanks for the reply..

 

Is the MFA you are using for external connections the "OTP" feature of the NetScaler or a 3rd party product? We wanted to use the builtin OTP on the NetScalers for budget reasons. If I understand correctly, when the NetScaler is a SAML SP it the initial connection to the Unified Gateway URL gets redirected to ADFS bypassing the OTP on the NetScaler. 

 

 

 

 

Link to comment
Share on other sites

I have followed most of the Citrix articles online about NetScaler as the IDP. My problem is whenever I browser to https://unifiedgatewayfqdn/saml/login I get the error "Malformed Assertion sent to Netscaler; Please contact your administrator". I have created SAML IDP Profiles and Polices and bound them to a AAA vServer that also has LDAP auth policies. Any ideas?

Link to comment
Share on other sites

In our experience, "Malformed Assertion" indicates that there is no SAML policy that was matched. Check your expression for the policy and the incoming request.

 

Some of our policies for POSTs are based on the "referer" header, but we found that some third parties don't send the header. In this case we use the service provider ID field.

 

These might be helpful:

https://support.citrix.com/article/CTX221631

https://support.citrix.com/article/CTX230267

Link to comment
Share on other sites

I finally got a SaaS app to work. I am really disappointed in Citrix, they promote the NetScaler as an IDP solution yet have no real world detailed documentation. If anyone was stuck like me, follow this article http://deyda.net/index.php/en/2019/02/14/citrix-adc-version-12-as-initial-idp-for-office365/. It is for O365 but will work for any SP. 

 

My issue was the expression needed under Relay State Expression, it needs to be HTTP.REQ.COOKIE.  

image.thumb.png.3d7b3a49cdc222968d443871fbfe0976.png

 

You also need to pull the LDAP Attributes needed via the LDAP server, e.g. givenName, sn, mail.. The SAML IDP profile to configure is not under AAA but instead under 

Citrix Gateway - Policies -Traffic - SAML SSO Profiles. You will need a SAML SSO profile for each SP, these are bound to the Gateway Bookmarks. Fill out the usual SAML info needed and reference the LDAP attributes configured with the expression AAA.USER.ATTRIBUTE(x).  The bookmark also needs to be set as below; 

 

image.thumb.png.379ea55497ea311fa714e0836826ec67.png

 

What still doesn't work is if the SP is redirecting back to us, the https://<gatewayfqdn>/saml/login page never loads. This is only working if we initiate the logon from our portal. Any ideas?

Link to comment
Share on other sites

Traffic SAML SSO profiles are used for IdP-initiated logins (originating from Netscaler), while SP-initiated ones use profiles under AAA (Security > AAA > Policies > Authentication > Advanced > SAML IDP). Those policies need to be bound to the server that handles /saml/login requests.

Link to comment
Share on other sites

When you say /saml/login never loads, do you mean the page spins and doesn't ever load content in the browser? If so, check that your traffic flow to your AAA server is correct. In our environment, we have a CSVS with a policy that sends traffic to an internally addressable AAA server.

 

Or does the page load, but your policy isn't invoked? If so, check your policy expression and compare it with the incoming request.

 

It also helps to open a few shells to the Netscaler and run the following for debugging:

cat /tmp/aaad.debug
tail -f /var/log/ns.log

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...