SAML is an authentication system designed to separate the user database and the protected services. So you can run services ( mostly in the “cloud”) without having your user database leaving your secure zone.

With NetScaler you can offer an infrastructure to secure your services (NetScaler with SAML SP) and to protect your user database (SAML IdP)   SAML infrastructure

SP: SAML Service Provider

IdP: SAML Identity Provider

It is important to understand the connection flow:

  • the SP trusts the IdP (trust relationship)
  • user connects to service, protected by SP
  • user get redirected by SP to IdP to authetitcate (SAML Request signed by SP)
  • user brings SAML Request to IdP and authenticates (f.e. to AD with LDAP)
  • IdP creates SAML assertion after successful authentication and redirects back to SP (SAML assertion signed by IdP)
  • SP validates SAML assertion and uses values for athorisation and SSO
To test this in a lab, the minimal environment is quite simple:
  • Windows Box:  WebApplication and Userdatabase (AD Controller)
  • NetScaler:  SAML SP and SAML IdP (can run on the same box)
Hint: if resources are available to run two NetScaler, it makes sense to separate SP and IdP.

Lab environment:

Domain Controller with user database:

Hostname: ad1.pcloud.lab

LDAP Policy & Profile:

add authentication ldapAction LDAP_PCloud -serverName ad1.pcloud.lab -ldapBase “DC=pcloud, DC=lab” -ldapBindDn administrator@pcloud.lab -ldapBindDnPassword Citrix123 -ldapLoginName samAccountName

add authentication ldapPolicy LDAP-PCloud ns_true LDAP-PCLoud

add authentication vserver AAA-LDAP-PCloud SSL 443 -AuthenticationDomain pcloud.lab

WebServer with application (could be on the same box as AD):

Hostname: www.pcloud.lab


LoadBalancer: redirects to  SAML SP for TM-AAA

Hostname: lb.pcloud.lab

add server www.pcloud.lab

add service SRV_HTTP-WWW www.pcloud.lab HTTP 80

add lb vserver LB_VS_www.pcloud.lab HTTP 80

bind lb vserver LB_VS_www.pcloud.lab SRV_HTTP-www.pcloud.lab

SAML SP: Redirects to SAML IdP and validates SAML Assertion

Hostname: saml_sp.pcloud.lab

add authentication vserver AAA-SAML_SP SSL 443 -AuthenticationDomain pcloud.lab

samlAction links to IdP:

add authentication samlAction SAML_SP_CNS -samlIdPCertName SAML-IdP -samlSigningCertName SAML-SP -samlRedirectUrl “https://saml_idp.pcloud.lab/saml/login” -samlUserField NameID -samlIssuerName “http://lb_www.pcloud.lab” -defaultAuthenticationGroup DAG_SAML

bind samlPolicy to AuthServer:

add authentication samlPolicy SAML_SP_CNS ns_true SAML_SP_CNS

bind authentication vserver AAA-SAML_SP -policy SAML_SP_CNS

bind SAML-SP as AuthHost to LB VServer:

set lb vserver LB-www -AuthenticationHost saml_sp.pcloud.lab -Authentication ON -authnVsName AAA-SAML_SP

SAML IdP Authentcation VServer: links to AD (per LDAP) and redirects back to SAML SP

Hostname: saml_idp.pcloud.lab

add authentication vserver AAA-SAML_IdP SSL 443 -AuthenticationDomain pcloud.lab

Links to AD (bind  LDAP Authentication)

bind authentication vserver AAA-SAML_IdP -policy Auth_PCloud -priority 200

SAML IdP Konfiguration Profile:

add authentication samlIdPProfile Auth_Pro_SAML_CNS -samlSPCertName SAML-SP -samlIdPCertName SAML-IdP -assertionConsumerServiceURL “http://lb_www.pcloud.lab/cgi/samlauth” -sendPassword ON -samlIssuerName saml_idp.pcloud.lab


add authentication samlIdPPolicy SAML_Idp_CNS -rule “HTTP.REQ.URL.CONTAINS(\”saml\”)” -action Auth_Pro_SAML_CNS

Redirect to SAML SP (Bind SAML IdP Policy)

bind authentication vserver AAA-SAML_IdP -policy SAML_Idp_CNS -priority 100 -gotoPriorityExpression END

Have fun putting your own lab together. For more detaills descriptions incl troubleshooting helps, send me email