This guide describes how to set up and configure NetScaler as saml service provider, protecting a very basic IIS hosted website. Requests get authenticated against a saml identity provider, here simplesamlphp. The guide further describes how to set up a basic CentOS installation via net install based on XenServer 6.0.2. Simplesamlphp will be installed and configured together with Apache and PHP and SSL.

Environment
The environment consists of two class c networks, 192.168.199.0/24 (dmz) and 192.168.200.0/24 (lab.local). In the dmz a NetScaler MPX resides which will be the SAML service provider in target configuration. Lab.local contains all internal services and the machine which will be set up throughout this guide.

Audience
This document is targeted towards a NetScaler and networking experienced audience. Hence some tools and basic knowledge may not be described here.

Perquisites

  • Working and base configured NetScaler 10 MPX
  • XenServer host with 8GB storage for virtual machine, 512MB of free RAM
  • Network for guest vm with internet access
  • CentOS install media (http://ftp.uni-bayreuth.de/linux/CentOS/6/isos/x86_64/CentOS-6.3-x86_64-netinstall.iso)
  • Putty SSH client
  • A certificate authority to sign the both certificates and it’s public key (“lab-ca.crt”, Base64 encoded)
  • A certificate and private key for “centos.lab.local” (centos.lab.local.key / “centos.lab.local.cert”, Base64 encoded, no password for key)
  • A certificate and private key for “aaa.lab.local” (“aaa.lab.local.key” / “aaa.lab.local.cert”, Base64 encoded, no password for key)
  • DNS names of centos.lab.local (IdP), dclb.lab.local (protected LB VSERVER) and aaa.lab.local (AAA VSERVER) must be resolvable

Creation of XenServer guest
Log in to XenCenter and create a new guest vm with the given parameters

  • 1 CPU
  • 512 MB RAM
  • 8 GB oh hdd
  • 1 Network interface, connected to a network with internet access and DHCP (or configure the vm’s IP address manually later)
  • DVD drive connected to the CentOS net install iso file

Select the “CentOS 6” template and give the new guest a name.

Chose the previous downloaded CentOS net install iso and the tharget XenServer to host your guest.

Leave the CPU number and configure 512 MB of RAM.

Select the network to contain your guest and finish the creation process.

Installation of base system
After having completed the creation process XenServer will launch the newly created machine. When installation starts complete the steps with the following parameters

  • Skip media test (as we are in lab)
  • Language: English
  • Installation Method: URL
  • Configure TCP/IP: Enable IP v4 suport with DHCP only
  • URL setup: http://mirror.centos.org/centos/6/os/x86_64
  • Timezone settings: to fit your territory
  • Root Password: chose one!
  • Partitioning Type: replace existing Linux system

Skip media test to save time and chose english language to align to this guide.

Chose “URL” as installation method as we only have the net install media and use IP v4 with DHCP.

Configure the given url to CentOS installation sources (http://mirror.centos.org/centos/6/os/x86_64).

Installation file will be fetched and installation process will start.

As this is a never used disk we will have to initialize it. After this the timezone needs to be configured.

Root password and partition layout need to be set.

No old data on the disk so write changes! Installation to harddisk starts…

Base system is now ready and can be rebooted.

Once rebooted login using username root and the previously chosen password and find out the system’s ip address using the following command line.

[root@localhost ~]# ifconfig eth0

Now login using Putty, which makes it a lot easier to work with the system.

From now on all work can be done via Putty. Command line examples can be copied and pasted into Putty.

Configuration of base system
First install nano, an easy to use command line editor.

[root@localhost ~]# yum -y install nano

After having installed nano, some system parameters have to be changed. To save time a few tools need to be installed-
[root@localhost ~]# yum -y install system-config-network-tui system-config-firewall-base

Use system-config-network to update your network configuration.
[root@localhost ~]# system-config-network

Disable selinux, open selinux config and change line starting with
SELINUX=enforcing

to
SELINUX=permissive

[root@localhost ~]# nano /etc/selinux/config (CTRL + X to save)

Stop and disable iptables.
[root@localhost ~]# /etc/init.d/iptables stop
[root@localhost ~]# chkconfig iptables off

To restart the network interface with the newly configured parameters use the XenCenter console of your CentOS vm and enter the following lines.
[root@localhost ~]# ifdown eth0
[root@localhost ~]# ifup eth0

From now on connect to your CentOS vm using Putty and the new IP address.

Installation / Configuration of Apache, PHP, SSL

The system has been installed in a minimal configuration. No services more than basic things are running. As we will install a PHP script we first need a webserver equipped with scripting language support (PHP) and secure socket layer (SSL). To install apache and the addons the following commands need to be issued.

Install apache and php base:

[root@localhost ~]# yum -y install httpd mod_ssl php

Install needed php addons:
[root@localhost ~]# yum -y install php-xml php-ldap php-memcache

Try starting apache:
[root@localhost ~]# service httpd start

Now you can access the vm’s website using http://<configured ip>
<a href="/blogs/2012/08/24/174193098/bildschirmfoto-2012-08-16-um-18-08-30/" rel="attachment wp-att-174193126"><img class="alignnone size-medium wp-image-174193126" src="/blogs/wp-content/uploads/2012/08/Bildschirmfoto-2012-08-16-um-18.08.30-300x202.png" alt="" width="300" height="202" /></a>

To test the PHP installation create a new file called test.php in /var/www/html and fill it with the example below.
[root@localhost ~]# nano /var/www/html/test.php (CTRL + X to save)

Example:
&lt;?php phpinfo(); ?&gt;

PHP can be tested using a browser and the URL http://<configured ip>/test.php. The result should look like this.

Now the webserver is ready to be configured with a socket on port 443 tcp – obviously secured by ssl. To do this an ssl certificate is needed. This guide uses two seperate files, one containing the private key and another file containing the certificate. The certificate was made for the dns name “centos.lab.local”. As the files are relatively small they can be copied into the clipboard and pasted into the Putty session. To do this first change into the directory /etc/pki/tls/private and open a new file “centos.lab.local.key” with nano.

[root@localhost ~]# cd /etc/pki/tls/private/

[root@localhost private]# nano centos.lab.local.key

Paste the previously copied content of the private key into the Putty window by clicking the right mouse button and save the file with CTRL + X. Now change directory to /etc/pli/tls/certs and open a new file “centos.lab.local.cert” with nano.
[root@localhost certs]# nano centos.lab.local.cert

[root@localhost ~]# cd /etc/pki/tls/certs

To configure apache with the new certificate two values in the file /etc/httpd/conf.d/ssl.conf need to be changed using nano as follows.
SSLCertificateFile /etc/pki/tls/certs/centos.lab.local.cert

SSLCertificateKeyFile /etc/pki/tls/private/centos.lab.local.key

After saving the file apache needs to be resarted using the following command line.
[root@localhost conf.d]# /etc/init.d/httpd restart

After apache has been restarted the default website is reachable on https, too.

Installation and configuration of Simplesamlphp

As the webserver is ready to host applications now the identity provider can be downloaded. To do this the easiest way to get the files to the CentOS machine is curl.

[root@localhost ~]# curl http://simplesamlphp.googlecode.com/files/simplesamlphp-1.9.1.tar.gz &gt; /root/simplesamlphp.tar.gz

Tar needs to be used to unpack the downloaded archive.
[root@localhost ~]# tar -xvzf /root/simplesamlphp.tar.gz

To clean up things a bit the directories name needs to be changed to simplesamlphp.
[root@localhost ~]# mv simplesamlphp-1.9.1/ simplesamlphp

Now the whole directory needs to be copied to /var, because /root is a user folder.
[root@localhost ~]# mv simplesamlphp /var/

To make simplesamlphp’s webinterface visible to users apache needs to be configured with an alias. Open the file /etc/httpd/conf.d/ssl.conf with nano and scroll down to the end of the file. Locate the line “</VirtualHost>” and insert the following code on top of it.
Alias /simplesaml /var/simplesamlphp/www

Restart apache.
[root@localhost ~]# /etc/init.d/httpd restart

Simlesamlphp is now accessible via https://<configured ip>/simplesaml. (Configure dns for the CentOS vm to get rid of certificate errors)

To be able to log in as administrator the file /var/simplesamlphp/config/config.php needs to be edited via nano. The following lines need to be changed.

Change “123” to a new and secure administrator password.

'auth.adminpassword' =&gt; '123',

Change “defaultsecretsalt” to some random string. E.g. “NetScalerRocks”.
'secretsalt' =&gt; 'defaultsecretsalt',

Change NULL to a PHP timezone (see http://php.net/manual/en/timezones.php)
'timezone' =&gt; NULL,

Change false to true.
'enable.saml20-idp' =&gt; false,

Save config.php with CTRL + X.

Enable the authentication via local test accounts.

[root@localhost ~]# mv /var/simplesamlphp/modules/exampleauth/default-disable /var/simplesamlphp/modules/exampleauth/default-enable

Now saml needs to be configured. First the IdP part needs some changes which need to be made in the file saml20-idp-hosted.php.

[root@localhost ~]# nano /var/simplesamlphp/metadata/saml20-idp-hosted.php

The following lines need to be added below the line


$metadata['__DYNAMIC:1__'] = array(


/*
 * Disable the message signing as the NetScaler does not understand this signature type
 */
'saml20.sign.response' =&gt; FALSE,
 'saml20.sign.assertion' =&gt; FALSE,

The following line needs to be configured with “example-userpass” for the local accounts to work.
'auth' =&gt; 'example-userpass',

Save the file and quit nano using CTRL+X. Now the IdP part is finished and the IdP needs to know how to deal with saml requests for certain service providers. This needs to be done in the file “saml20-sp-remote.php”.
[root@localhost ~]# nano /var/simplesamlphp/metadata/saml20-sp-remote.php

At the end of the file the following lines must be inserted. Quit nano using CTRL+X after insertion.
$metadata['dclb.lab.local'] = array(
 'AssertionConsumerService' =&gt; 'http://dclb.lab.local/cgi/samlauth',
);

Time synchronization

As saml works with tickets and as tickets have a defined lifetime time synchronization between all systems is highly necessary. To have time on IdP in sync ntp needs to be installed. This can be done with the following commands.

[root@localhost ~]# yum -y install ntp
[root@localhost ~]# chkconfig ntpd on
[root@localhost ~]# ntpdate pool.ntp.org
[root@localhost ~]# /etc/init.d/ntpd start

Now the system’s time gets synchronized with the NTP servers at pool.ntp.org.

NetScaler Configuration

In this example a default IIS page will be secured by a AAA VSERVER. To achieve this the following steps need to be performed.

  • Copy lab-ca.crt, aaa.lab.local.key/.cert, centos.lab.local.cert onto NetScaler in direcory /nsconfig/ssl
  • Install SSL certificates for CA, AAA VSERVER and IdP’s public key on NetScaler.
  • Create AAA VSERVER with SAML authentication policy/server.
  • Create a LB VSERVER with a backend SERVICE pointing to a Microsoft IIS server.
  • Configure LB VSERVER with authentication.

Previously copied certificates need to be installed on NetScaler. In NetScaler GUI switch to SSL, Certificates.
 


Now the aaa.lab.local certificate needs to be linked to the LAB CA cert.

Now as the certificates are installed a AAA VSERVER listening on port 443 (ssl) can be added and configured with an authentication against the previously installed and configured saml IdP.
In NetScaler GUI switch to AAA-Application Traffic, Policies, Authentication, SAML create AAA authentication server and policy.
 
Create AAA VSERVER.
 
In NetScaler GUI switch to Load Balancing, Services and create a service pointing to an IIS server at the backend.

Switch to Virtual Servers and create LB VSERVER with authentication.
 
Now NetScaler is configured.

Test
To test the environment point a browser to http://dclb.lab.local. NetScaler will mention there is no saml assertion in the request and will forward the browser to the configured redirect url (IdP). After logging in there the IdP will redirect the browser back to the originally requested resource.

Log in using student / studentpass.

IdP will check the login data and redirects to requested resource.

To follow

  • Authorization with saml (affiliations)
  • Authentication against ldap (Active Directory)