Security Assertion Markup Language 2.0 or SAML 2.0 is being rapidly adopted in the market.
At a glance SAML 2.0 is a set of open standards leveraging XML to transport authentication and authorization data between trusted endpoints. The most adopted use case is web single sign on or SSO. SAML 2.0 addresses the authentication challenges over the internet opposed to an intranet.
Citrix NetScaler latest release 10.5 offers support for both SAML 2.0 endpoints. Service Provider (SP) & Identity Provider (IdP)
In the below article we will walk through a how to setup Citrix NetScaler as both SP & IdP completing the SAML trust fabric.
Resources used in this exercise:
- Domain Controller with Active Directory
- Citrix NetScaler VPX 10.5
- Window IIS server hosting a web application
FQDNS and Specific Configurations:
- Domain = DCTEST.com
- LB vServer FQDN = webt.dctest.com
- SP AAA vServer = aaa.sp.dctest.com
- IdP AAA vServer = aaa.idp.dctest.com
Perquisites for securing the Virtual Server Connections:
- Create 3 SSL certificates. The vServers these certificates will be bound too are = LB vServer, AAA SP vServer, and AAA IdP vServer.
Create a LB vServer for your web application.
- Add the Server into NetScaler by navigating to Traffic Management – Load Balancing –Servers (Enter the Server name/IP Address)
- Add the Service into NetScaler: Traffic Management –Load Balancing –Services (Select existing server and select the one just created)
- Create a LB vServer: Traffic Management –Load Balancing – Virtual Servers (enter a name, IP Address, Port -443 if you want it secured via SSL)
- Bind the service created in step 2 to the LB vServer
Create SAML SP Profile
- Security – AAA – Application Traffic – Policies – Authentication – Basic Policies –SAML (select the servers tab and provide a name for the SAML Server)
- Select the IdP Certificate
- Provide Redirect URL – this is the URL that SP will redirect the user too to authenticate against the IdP. In our example because we are using NetScaler as both SP & IdP the url is: https://aaa.idp.dctest.com/saml/login
Where https://aaa.idp.dctest.com is the FQDN of my IdP AAA vServer and /saml/login is what NetScaler is looking for from a SAML assertion flow.
5. Add the Signing certificate. This will be the certificate you created for the SP AAA vServer
6. Add Issuer Name – in our example we used the IdP AAA vServer(aaa.idp.dctest.com) This field varies on the providers requirements. Meaning if using a third party as one of the end points follow their documentation as it may differ.
7. Turn on Reject Unsigned Assertion. This forces the assertion to be signed.
8. Ensure the SAML Binding parameter is set to POST
9. Click OK
Next we are going to create a SAML SP Policy
- Security – AAA – Application Traffic – Policies – Authentication –Basic Policies – SAML (select the policy tab)
- Add a new Policy (provide name, and select the server we just created)
- Enter ns_true for the expression
Create SAML IdP Profile
- Security –AAA – Application Traffic – Policies – Authentication –Basic Policies – SAML IdP (select the Profile tab and enter a name for the IdP Profile.
- Input the Assertion Consumer Service URL or ACS. In our example because we are using a LB vServer to balance the web server we are using
where https://webt.dctest.com is the address for the LB vServer and /cgi/samlauth is where the LB vServer is listening for SAML assertions.
3. Provide the SP certificate
4. Provide the IdP certificate
5. Provide the Issuer Name (Name has to match the SP profile)
6. Input the audience: In our case it’s the LB vServer address:
7. Click ok
Next we are going to create the SAML IdP Policy
- Security – AAA – Application traffic –Policies – Authentication –> Basic Policies – SAML IDP (select the policies tab and provide a name)
- Select the Action (the profile we just created)
3. Under Expression input:
We now have created a SAML SP policy & server, as well as an IdP policy and profile. The last policy we need to create is a LDAP policy for a user store.
Create a LDAP Policy
- Security – AAA – Application traffic – Policies – Authentication –> Basic Policies – LDAP (select servers tab and provide a policy name)
- In our example we are using AD. Fill out the required fields with your AD connection settings.
- Click OK.
Create the AAA vServers for the SP
- Security – AAA – Application traffic – Virtual Servers (provide Name, IP, and Port.
- Bind the SSL certificate created for the SP
- Bind the SAML SP policy created in previous step
- Bind the Form Based Virtual server created earlier
- Click Done
Create the AAA vServer for the IdP
- Security – AAA – Application traffic – Virtual Servers (provide Name,IP, Port, and Authentication Domain. In our example we used the IdP AAA vServer FQDN – aaa.idp.dctest.com
- Bind the SSL certificate created for the IdP
- Bind the basic LDAP Policy created earlier
- Bind the basic SAML IDP Policy created earlier
- Click Done
Everything has now been configured in order to complete the SAML assertion using the NetScaler as both SAML endpoints.
To test, point your browser to the LB vServer that is balancing your web application.
If successful it should redirect you to the NetScaler AAA vServer on the IdP for authentication. Once you enter your credentials you should be authorized to access the web app.
To view the ‘behind the scenes’ you can run a trace on the NetScaler, or install a plug –in into the browser. I used Http Live Headers Plug-In for Firefox. Just run Live Headers trace when accessing the web app to view the SAML request and response. Note that is encoded and to view the actual text you will need to decode. There are many online SAML decoders that will do the trick.