Configure Citrix NetScaler to use SAML

Import the VeridiumID Signing Certificate

Copy the IdP-signing certificate from the Veridium server to the NetScaler and import it into the configuration.

Procedure:

1. Download the SAML signing certificate from the VeridiumID administration console (Settings -> SAML Configuration -> Change Configuration -> Download IDP Signing Certificate) and save to a suitable place like the NetScaler desktop where you can access it.

2. Open the NetScaler Administration GUI and browse to Traffic Management > SSL > Certificates > CA Certificate.

3. In the right-hand column click Install.

4. Enter a name for the certificate, for example, vid-saml-idp-signing.

5. Use the dropdown option next to Choose File to select local, browse to idp-signing.crt and click Open.

6. Click Install.

Create and Install NetScaler SAML signing certificate

NetScaler uses a public-private key pair to sign SAML requests. This certificate can be created using any CA, including a Microsoft internal CA.
The common name is used only for your own reference and therefore can be anything such as ngsamlsign.example.com.

Procedure:

1. Open the NetScaler Administration GUI and browse to Traffic Management > SSL > Certificates > Server Certificates.

2. In the right-hand column click Install.

3. Enter a name for the certificate such as ngsamlsign.

4. Click the dropdown option next to Choose File to select local, browse to the certificate and click Open.

5. You might be prompted to locate the certificate private key file and enter the private key password depending on the format of your certificate key pair.

6. Click Install.

Create Authentication Profile, Policy, and Metadata

Use these procedures to create the following objects on the NetScaler server:

• SAML authentication profile

• SAML authentication policy

• SAML metadata

Create SAML Authentication Profile

Procedure:

1. Open the NetScaler GUI and browse to NetScaler Gateway > Policies > Authentication > SAML.

2. In the right-hand column select the Servers tab.

3. Click Add.

4. Enter a server descriptive name.

5. Select the IdP certificate name you imported in the 'Import VeridiumID signing certificate\' topic, for example, vid-saml-idp-signing.

6. Enter the Redirect URL.

7. The FQDN and port must match your domain name and port for the externally available VeridiumID SAML connector. The FQDN and port must match your domain name and port for the externally available VeridiumID SAML server.

8. Enter the NameID into User Field.

9. Select the Signing Certificate Name created in the \'Create and install NetScaler SAML Signing Certificate\' topic.

10. Enter the Issuer Name: The FQDN must match the domain name of your NetScaler Gateway virtual server.

11. Set Reject Unsigned Assertion to ON.

12. Set SAML Binding to POST.

13. Set Logout Binding to POST.

14. Click Create.

Create SAML Authentication Policy

Procedure:

1. Open the NetScaler GUI and browse to NetScaler Gateway > Policies > Authentication > SAML.

2. In the right-hand column select the Policy tab.

3. Click Add.

4. Enter a policy descriptive name.

5. Select the Server you created in the previous topic 'Create Authentication Profile'.

6. Enter ns_true in the Expression field.

7. Click Create.

Create SAML Metadata

Procedure:

1. Open the NetScaler GUI and browse to NetScaler Gateway > Policies > Authentication > SAML.

2. In the right-hand column select the Servers tab.

3. Select the authentication server you created in previous step and click Generate Metadata.

4. Enter the FQDN of your NetScaler Gateway virtual server and select HTTPS.

5. Click Continue.

6. Click Save. Save the file to location such as the NetScaler desktop where you can find it later. Use a meaningful name like ns1saml.xml

Copy Metadata File to the Veridium Server

Procedure:

• Copy the NetScaler metadata file created in the previous topic to a location such as the NetScaler desktop where you can find it later.

Add Netscaler as a service provider

Procedure:

1. In the Veridium Dashboard, navigate to Dashboard > Configuration > SAML Configuration

2. Select Add Service Provider under Change configuration.

3. Enter a 'Service provider name'

4. For Metadata provider, select File upload.

5. Click into 'Meta provider URL...' and browse to the NetScaler metadata file saved earlier.

6. For 'NameID format', select email.

7. Under "Available attributes", select userPrincipalName & sessionid > to add them to the "Service provider attributes" list.

8. Select userPrincipalname as the NameID from the drop-down box.

9. Click Save.

Configure Storefront to use Passthrough Authentication

Use this procedure on Citrix StoreFront to enable \'Pass-through from NetScaler Gateway\'.

Procedure:

1. Open the Citrix StoreFront Administration Console.

2. Select the checkbox for Pass-through from NetScaler Gateway.

3. Click the gear icon and choose Configure Delegated Authentication.

   

4. Enable Fully delegate credential validation to NetScaler Gateway.

Finish Configuring NetScaler

Use these procedures to create the following objects on the NetScaler server:

• SAML authentication policy

• SAML session profile

Create the Authentication Policy

Procedure:

1. Open the NetScaler GUI and browse to NetScaler Gateway > Virtual Servers.

2. In the right-hand column edit the appropriate virtual server.

3. Under Basic Authentication remove any bound polices and bind the SAML policy created earlier.

4. Click Done.

Edit the Session Profile

Procedure (this is only required when using UPN as the attribute):

1. Open the NetScaler GUI and browse to NetScaler Gateway > Virtual Servers.

2. In the right-hand column edit the appropriate virtual server.

3. Under Policies, select session policies.

4. Right-click the appropriate policy and choose Edit.

5. Select the Published Applications tab and remove Single Sign-on Domain.