Citrix NetScaler - SAML Relying Party Configuration - RSA Ready Implementation Guide
9 days ago

This article describes how to integrate RSA Cloud Access Service (CAS) with Citrix NetScaler using SAML Relying Party.

     

Configure CAS

Perform these steps to configure CAS as a Relying Party to Citrix NetScaler.

Procedure

  1. Sign in to RSA Cloud Administration Console.
  2. Click Authentication Clients > Relying Parties.
  3. On the My Relying Parties page, click Add a Relying Party.
  4. On the Relying Party Catalog page, click Add for Service Provider SAML
  5. On the Basic Information page, enter a Name for the Service Provider.
  6. Click Next Step.
  7. On the Authentication page, choose RSA manages all authentication.
  8. In the 2.0 Access Policy for Authentication drop-down list, select a policy that was previously configured. 
  9. Click Next Step.
  10. Under Data Input Method, choose Enter Manually.
  11. Scroll down to the Service Provider section and enter the following details:
    1. Assertion Consumer Service (ACS) URL: https://<FQDN or IP of Citrix Authentication Virtual Server>/cgi/samlauth.
    2. Service Provider Entity ID: The same FQDN or IP used in the ACS URL.
  12. Scroll down to the Message Protection section and choose IdP signs assertion within response.
  13. Click Download Certificate to download the IDP signing certificate. Make a note of the certificate as it is required for the Citrix NetScaler configuration.
  14. Scroll down to the User Identity section and select the following.
    1. Identifier Type: Email Address
    2. Propertymail

  15. Click Save and Finish.
  16. Click Publish Changes, and then wait for the operation to complete.
    After publishing, your application is enabled for SSO. 

     

Configure Citrix NetScaler

Perform these steps to configure Citrix NetScaler.
Procedure 

  1. Log in to the NetScaler ADC VPX with nsroot account.
  2. In the left pane, navigate to Security > AAA - Application Traffic > Policies > Authentication > Basic Policies > SAML.
  3. On the Servers tab, click Add, enter values for the following parameters, and click Create.
    • Name: Name of the server.
    • Export SAML Metadata: Click this link if you want to export the metadata of the SAML profile to a NetScaler Gateway VPN virtual server.
    • Import Metadata: This imports the SAML metadata. This option is enabled by default. If the Import Metadata option is disabled, enter the values for the following parameters.
      • Redirect URL: URL that users authenticate against. This should be the Identity Provider URL obtained from the RSA configuration section.
      • Single Logout URL: URL specified so that the NetScaler can recognize when to send the client back to the IdP to complete the sign-out process.
      • SAML Binding: A mechanism that is used to transport SAML requestor and responder messages between the SP and IdP. When NetScaler acts as an SP, it supports Post, Redirect, and Artifact bindings. The default binding method is POST.
      • Logout Binding: Specifies the transport mechanism of SAML logout messages. The default binding mechanism is POST.
      • IDP Certificate Name: IdPCert Certificate (Base64). This should be the certificate downloaded from the RSA side earlier.
      • User Field: Enter mail as the same attribute name given in the RSA section, which is going to be included in the SAML Assertion. 
  4. Create a corresponding SAML policy.
    1. Navigate to Security > AAA - Application Traffic > Policies > Authentication > Advanced Policies > Policy and click Add.
    2. On the Create Authentication Policy page, provide the following details:
      • Name: Specify a name for the SAML policy.
      • Action Type: Select SAML as the authentication action type.
      • Action: Select the SAML server profile created to bind the SAML policy with.
      • Expression: Displays the name of the rule or expression that the SAML policy uses to determine if the user must authenticate with the SAML server. In the text box, set the value true for the SAML policy to take effect and the corresponding SAML action to be run.
  5. Bind the SAML policy to the authentication virtual server.
    Navigate to Security > AAA - Application Traffic > Virtual Servers. On the Virtual Server settings, associate the SAML policy created above with the authentication virtual server.
  6. Associate the authentication server with the appropriate traffic management virtual server.
    Navigate to Traffic Management > Load Balancing (or Content Switching) > Virtual Servers, select the virtual server, and associate the authentication virtual server with it.

The configuration is complete.