Citrix NetScaler - SAML Relying Party Configuration - RSA Ready Implementation Guide
This article describes how to integrate RSA Cloud Access Service (CAS) with Citrix NetScaler using SAML Relying Party.
Configure CAS
Perform these steps to configure CAS as a Relying Party to Citrix NetScaler.
Procedure
- Sign in to RSA Cloud Administration Console.
- Click Authentication Clients > Relying Parties.
- On the My Relying Parties page, click Add a Relying Party.
- On the Relying Party Catalog page, click Add for Service Provider SAML.
- On the Basic Information page, enter a Name for the Service Provider.
- Click Next Step.
- On the Authentication page, choose RSA manages all authentication.
- In the 2.0 Access Policy for Authentication drop-down list, select a policy that was previously configured.
- Click Next Step.
- Under Data Input Method, choose Enter Manually.
- Scroll down to the Service Provider section and enter the following details:
- Assertion Consumer Service (ACS) URL: https://<FQDN or IP of Citrix Authentication Virtual Server>/cgi/samlauth.
- Service Provider Entity ID: The same FQDN or IP used in the ACS URL.
- Scroll down to the Message Protection section and choose IdP signs assertion within response.
- Click Download Certificate to download the IDP signing certificate. Make a note of the certificate as it is required for the Citrix NetScaler configuration.
- Scroll down to the User Identity section and select the following.
- Identifier Type: Email Address
- Property: mail
- Click Save and Finish.
- Click Publish Changes, and then wait for the operation to complete.
After publishing, your application is enabled for SSO.
Configure Citrix NetScaler
Perform these steps to configure Citrix NetScaler.
Procedure
- Log in to the NetScaler ADC VPX with nsroot account.
- In the left pane, navigate to Security > AAA - Application Traffic > Policies > Authentication > Basic Policies > SAML.
- On the Servers tab, click Add, enter values for the following parameters, and click Create.
- Name: Name of the server.
- Export SAML Metadata: Click this link if you want to export the metadata of the SAML profile to a NetScaler Gateway VPN virtual server.
- Import Metadata: This imports the SAML metadata. This option is enabled by default. If the Import Metadata option is disabled, enter the values for the following parameters.
- Redirect URL: URL that users authenticate against. This should be the Identity Provider URL obtained from the RSA configuration section.
- Single Logout URL: URL specified so that the NetScaler can recognize when to send the client back to the IdP to complete the sign-out process.
- SAML Binding: A mechanism that is used to transport SAML requestor and responder messages between the SP and IdP. When NetScaler acts as an SP, it supports Post, Redirect, and Artifact bindings. The default binding method is POST.
- Logout Binding: Specifies the transport mechanism of SAML logout messages. The default binding mechanism is POST.
- IDP Certificate Name: IdPCert Certificate (Base64). This should be the certificate downloaded from the RSA side earlier.
- User Field: Enter mail as the same attribute name given in the RSA section, which is going to be included in the SAML Assertion.
- Create a corresponding SAML policy.
- Navigate to Security > AAA - Application Traffic > Policies > Authentication > Advanced Policies > Policy and click Add.
- On the Create Authentication Policy page, provide the following details:
- Name: Specify a name for the SAML policy.
- Action Type: Select SAML as the authentication action type.
- Action: Select the SAML server profile created to bind the SAML policy with.
- Expression: Displays the name of the rule or expression that the SAML policy uses to determine if the user must authenticate with the SAML server. In the text box, set the value true for the SAML policy to take effect and the corresponding SAML action to be run.
- Bind the SAML policy to the authentication virtual server.
Navigate to Security > AAA - Application Traffic > Virtual Servers. On the Virtual Server settings, associate the SAML policy created above with the authentication virtual server. - Associate the authentication server with the appropriate traffic management virtual server.
Navigate to Traffic Management > Load Balancing (or Content Switching) > Virtual Servers, select the virtual server, and associate the authentication virtual server with it.
The configuration is complete.
Related Articles
Citrix NetScaler - SAML IDR SSO Configuration - RSA Ready Implementation Guide 7Number of Views Citrix NetScaler - SAML My Page SSO Configuration - RSA Ready Implementation Guide 8Number of Views Citrix ShareFile - RSA Ready Implementation Guide 13Number of Views Citrix Cloud - RSA Ready Implementation Guide 26Number of Views Citrix NetScaler - RSA Ready Implementation Guide 40Number of Views
Trending Articles
RSA Authentication Manager 8.9 Setup and Configuration Guide RSA Authentication Manager 8.9 Release Notes (January 2026) RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide How to 'Trust' the RSA Authentication Manager Security Console Self-Signed Root CA certificate and prevent Cert warnings. RSA Authentication Manager Upgrade Process
Don't see what you're looking for?