Netscaler with Veridium OIDC

For the most part, the process of configuring Netscaler with VeridiumID OIDC is similar to the one with SAML, described here Configure Citrix Netscaler and Storefront for SAML and passthrough authentication - VeridiumID Documentation - Confluence. This document will capture only the differences between the two methods, which are the following:

• Create an OIDC app for Netscaler in the Veridium Manager portal (instead of defining Netscaler as a service provider in the Veridium Manager)

• Create an OAUTH action in Netscaler (instead of SAML)

1. Create an OIDC app for Netscaler in the Veridium Manager portal

• In the Veridium Manager portal, click on Applications an then click on Add OIDC app:

  

• Type in a Client ID (this will be seen as the audience in the token), a Client Friendly Name and a Client secret. In the Response types section select code and id_token, then in the Grant types section select authorization_code and refresh_token:

  

• Scroll down and select openid and offline_access in the Scopes section, set Token endpoint authentication methods to client_secret_post and the Subject type to public. In the Redirect URIs section click on New and type the FQDN of the Netscaler virtual server, followed by “/oauth/login”:

  

• Scroll up and move to Advanced menu. Her you can add what attributes you want to send (sAMAccountName, userPrincipalName, etc.) under Encoded Attributes and Always included attributes:

  

• Scroll down and tick Enable advanced options, then enable Force PKCE:

  

• Click on Save to store the configuration.

2. Create an OAUTH action in Netscaler

This step must be performed in the Netscaler GUI (or the CLI). Tipically the OAUTH action is defined at the Authentication profile creation during the virtual server configuration process. However, the OAUTH action can also be defined manually by performint the following steps:

• In the Netscaler GUI click on Security->AAA - Application Traffic->Policies:

  

• Scroll down and click on Authentication->Advanced Policies->Actions->Oauth:

  

• In the OAUTH Actions click on Add:

  

• In the next window type in a Name for the action, Select GENERIC in the OAuth Implementation Type field, the fill in the Client ID and Client Secret defined previously in the Veridium Manager portal. Set Authentication to ENABLED, then fill in the Authorization Endpoint and Token Endpoint from Veridium OIDC metadata (you can get the VeridiumID OIDC metadata from the Veridium Manager portal, by clicking on Settings->OIDC->Download OIDC Metadata):

  

• Scroll down and set PKCE to ENABLED, Token Endpoint Auth Method to CLIENT_SECRET_POST and then click on More(optionally you can fill in the Metadata URL with the configuration endpoint of Veridium OIDC, typically something like https://<shib_fqdn>/idp/profile/oidc/configuration):

  

• Moving further down the page, fill in the Cert Endpoint field with the value extracted from Veridium OIDC metadata and then set the User Name Field to sub (this is the username attribute in the token):

  

• Scroll down and fill in the User Info URL and Introspect URL with the appropriate endpoints from the VeridiumID OIDC metadata. The value for the issuer field can also be extracted from the oidc metadata under Issuer:

  

• Set Grant Type to CODE, tick all the Allowed Algorithms and then click OK to save the configuration:

  

• This OAUTH action must be bound to an Advanced Authentication Policy (which will be bound to an Authentication Virtual Server corresponding to the Authentication Profile from the virtual server configuration). The process is described in detail in the Netscaler Saml integration article.