Citrix NetScaler - SAML My Page SSO Configuration - RSA Ready Implementation Guide
9 days ago

This article describes how to integrate Citrix NetScaler with RSA Cloud Access Service (CAS) using My Page SSO.

          

Configure CAS

Perform these steps to configure CAS using My Page SSO.
Procedure 

  1. Sign in to RSA Cloud Administration Console and browse to Applications > Application Catalog.
  2. Search for Citrix NetScaler and click Add to add the connector.
  3. On the Basic Information page, choose Cloud.
  4. Enter a name for the application in the Name field and click Next Step.
  5. On the Connection Profile page, navigate to the Initiate SAML Workflow section and choose IdP-initiated.
  6. Under Data Input Method, choose Enter Manually.
  7. Scroll down to the Service Provider section and enter the following details:
    1. Assertion Consumer Service (ACS) URL: https://<FQDN or IP of Citrix Authentication Virtual Server>/cgi/samlauth
    2. Service Provider Entity ID: The same FQDN or IP used in the ACS URL
  8. Make a note of the Identity Provider URL, as it is needed for the Citrix NetScaler configuration.
  9. Navigate to the Message Protection section, choose IdP signs assertion within response, and click Download Certificate.
     
  10. Scroll down to the User Identity section and select the following values:
    1. Identifier Type – emailAddress
    2. Property – mail
  11. Click Next Step.
  12. On the User Access page, select the access policy that the identity router will use to determine which users can access the application.
  13. Click Next Step.
  14. On the Portal Display page, configure the portal display and other settings, and click Next Step.
  15. On the Fulfillment page, configure your preferred settings, or leave the Fulfillment toggle button disabled, and then click Save and Finish.
  16. Click Publish Changes, and then wait for the operation to complete.
    After publishing, your application is enabled for SSO. 

      

Configure Citrix NetScaler

Perform these steps to configure Citrix NetScaler.
Procedure 

  1. Log in to the NetScaler ADC VPX with nsroot account.
  2. In the left pane, navigate to Security > AAA - Application Traffic > Policies > Authentication > Basic Policies > SAML.
  3. On the Servers tab, click Add, enter values for the following parameters, and click Create.
    • Name: Name of the server.
    • Export SAML Metadata: Click this link if you want to export the metadata of the SAML profile to a NetScaler Gateway VPN virtual server.
    • Import Metadata: This imports the SAML metadata. This option is enabled by default. If the Import Metadata option is disabled, enter the values for the following parameters.
      • Redirect URL: URL that users authenticate against. This should be the Identity Provider URL obtained from the RSA configuration section.
      • Single Logout URL: URL specified so that the NetScaler can recognize when to send the client back to the IdP to complete the sign-out process.
      • SAML Binding: A mechanism that is used to transport SAML requestor and responder messages between the SP and IdP. When NetScaler acts as an SP, it supports Post, Redirect, and Artifact bindings. The default binding method is POST.
      • Logout Binding: Specifies the transport mechanism of SAML logout messages. The default binding mechanism is POST.
      • IDP Certificate Name: IdPCert Certificate (Base64). This should be the certificate downloaded from the RSA side earlier.
      • User Field: Enter mail as the same attribute name given in the RSA section, which is going to be included in the SAML Assertion. 
  4. Create a corresponding SAML policy.
    1. Navigate to Security > AAA - Application Traffic > Policies > Authentication > Advanced Policies > Policy and click Add.
    2. On the Create Authentication Policy page, provide the following details:
      • Name: Specify a name for the SAML policy.
      • Action Type: Select SAML as the authentication action type.
      • Action: Select the SAML server profile created to bind the SAML policy with.
      • Expression: Displays the name of the rule or expression that the SAML policy uses to determine if the user must authenticate with the SAML server. In the text box, set the value true for the SAML policy to take effect and the corresponding SAML action to be run.
  5. Bind the SAML policy to the authentication virtual server.
    Navigate to Security > AAA - Application Traffic > Virtual Servers. On the Virtual Server settings, associate the SAML policy created above with the authentication virtual server.
  6. Associate the authentication server with the appropriate traffic management virtual server.
    Navigate to Traffic Management > Load Balancing (or Content Switching) > Virtual Servers, select the virtual server, and associate the authentication virtual server with it.

The configuration is complete.