ADC

Citrix ADC as a SAML IdP

September 19, 2023

Contributed by:

H C S

The SAML IdP (Identity Provider) is a SAML entity that is deployed on the customer network. The IdP receives requests from the SAML SP and redirects users to a logon page, where they must enter their credentials. The IdP authenticates these credentials with the user directory (external authentication server, such as LDAP) and then generates a SAML assertion that is sent to the SP.

The SP validates the token, and the user is then granted access to the requested protected application.

When the Citrix ADC appliance is configured as an IdP, all requests are received by an authentication virtual server that is associated with the relevant SAML IdP profile.

Note

A Citrix ADC appliance can be used as a IdP in a deployment where the SAML SP is configured either on the appliance or on any external SAML SP.

When used as a SAML IdP, a Citrix ADC appliance:

Supports all authentication methods that it supports for traditional logons.
Digitally signs assertions. Support for the SHA256 algorithm is introduced in NetScaler 11.0 Build 55.x.
Supports single-factor and two-factor authentication. SAML must not be configured as the secondary authentication mechanism.
Can encrypt assertions by using the public key of the SAML SP. This is recommended when the assertion includes sensitive information. Support introduced in NetScaler 11.0 Build 55.x.
Can be configured to accept only digitally signed requests from the SAML SP. Support introduced in NetScaler 11.0 Build 55.x.
Can log on to the SAML IdP by using the following 401-based authentication mechanisms: Negotiate, NTLM, and Certificate. Support introduced in NetScaler 11.0 Build 55.x.
Can be configured to send 16 attributes in addition to the NameId attribute. The attributes must be extracted from the appropriate authentication server. For each of them, you can specify the name, the expression, the format, and a friendly name in the SAML IdP profile. Support introduced in NetScaler 11.0 Build 55.x.
If the Citrix ADC appliance is configured as a SAML IdP for multiple SAML SP, a user can gain access to applications on the different SPs without explicitly authenticating every time. The Citrix ADC appliance creates a session cookie for the first authentication, and every subsequent request uses this cookie for authentication. Support introduced in NetScaler 11.0 Build 55.x.
Can send multi-valued attributes in a SAML assertion. Support introduced in NetScaler 11.0 Build 64.x.
Supports post and redirect bindings. Support for redirect bindings is introduced in NetScaler 11.0 Build 64.x.
Can specify the validity of a SAML assertion.

If the system time on Citrix ADC SAML IdP and the peer SAML SP is not in sync, the messages might get invalidated by either party. To avoid such cases, you can now configure the time duration for which the assertions will be valid.

This duration, called the “skew time,” specifies the number of minutes for which the message should be accepted. The skew time can be configured on the SAML SP and the SAML IdP.

Note

Support introduced in NetScaler 11.0 Build 64.x.
Can be configured to serve assertions only to SAML SPs that are pre-configured on or trusted by the IdP. For this configuration, the SAML IdP must have the service provider ID (or issuer name) of the relevant SAML SPs. Support introduced in NetScaler 11.0 Build 64.x.

Note

Before proceeding, make sure that you have an authentication virtual server that is linked to an LDAP authentication server.

To configure a Citrix ADC appliance as a SAML IdP by using the command line interface

Configure a SAML IdP profile.

Example

Adding Citrix ADC appliance as an IdP with SiteMinder as the SP.

add authentication samlIdPProfile samlIDPProf1 -samlSPCertName siteminder-cert -encryptAssertion ON -samlIdPCertName ns-cert -assertionConsumerServiceURL http://sm-proxy.nsi-test.com:8080/affwebservices/public/saml2assertionconsumer -rejectUnsignedRequests ON -signatureAlg RSA-SHA256 -digestMethod SHA256 –acsUrlRule AAA.LOGIN.SAML_REQ_ACS_URL.REGEX_MATCH(re#^https://example2\.com/cgi/samlauth$#)

Points to note
- In SAML IdP profile, configure acsURLRule that takes an expression of the list of applicable service provider URLs for this IdP. This expression depends on the SP being used. If Citrix ADC is configured as SP, ACS URL will be https://<SP-domain_name>/cgi/samlauth. Citrix recommends having a full URL in the expression for matching.
- You must specify the starting of the domain with “^” sign (example: ^https) along with the dollar sign “$” at the end of the string (example: samlauth$).
For more details on the command, see https://developer-docs.citrix.com/projects/citrix-adc-command-reference/en/latest/authentication/authentication-samlAction and https://support.citrix.com/article/CTX316577.
- If the authentication virtual server is configured as a SAML SP, the metadata URL that must be used in the SAML IdP profile is https://<citrix-adc-saml-sp-fqdn>/metadata/samlsp/saml_sp_act. For example,
  
  add authentication samlIdPProfile SAML_IDP_profile -samlIdPCertName aaa_local -assertionConsumerServiceURL "https://ksav.ksaaa.local/cgi/samlauth" -samlIssuerName "https://ksidp1.aaa.local/saml/login" -rejectUnsignedRequests OFF -serviceProviderID kslb.ksaaa.local -signAssertion NONE -SPLogoutUrl "https://ksav.ksaaa.local/cgi/tmlogout" -logoutBinding REDIRECT -metadataUrl "https://ksav.ksaaa.local/metadata/samlsp/saml_sp_act" -metadataRefreshInterval 1
Configure the SAML authentication policy and associate the SAML IdP profile as the action of the policy.

add authentication samlIdPPolicy samlIDPPol1 -rule true -action samlIDPProf1
Bind the policy to the authentication virtual server.

bind authentication vserver saml-auth-vserver -policy samlIDPPol1 -priority 100

To configure a Citrix ADC appliance as a SAML IdP by using the graphical user interface

Configure the SAML IdP profile and policy.

Navigate to Security > AAA - Application Traffic > Policies > Authentication > Advanced Policies > SAML IDP, and create a policy with SAML IdP as the action type, and associate the required SAML IdP profile with the policy.
Associate the SAML IdP policy with an authentication virtual server.

Navigate to Security > AAA - Application Traffic > Virtual Servers, and associate the SAML IdP policy with the authentication virtual server.

The official version of this content is in English. Some of the Cloud Software Group documentation content is machine translated for your convenience only. Cloud Software Group has no control over machine-translated content, which may contain errors, inaccuracies or unsuitable language. No warranty of any kind, either expressed or implied, is made as to the accuracy, reliability, suitability, or correctness of any translations made from the English original into any other language, or that your Cloud Software Group product or service conforms to any machine translated content, and any warranty provided under the applicable end user license agreement or terms of service, or any other agreement with Cloud Software Group, that the product or service conforms with any documentation shall not apply to the extent that such documentation has been machine translated. Cloud Software Group will not be held responsible for any damage or issues that may arise from using machine-translated content.

Citrix ADC as a SAML IdP

September 19, 2023

Contributed by:

H C S

September 19, 2023

Contributed by:

H C S

Citrix ADC as a SAML IdP

To configure a Citrix ADC appliance as a SAML IdP by using the command line interface

To configure a Citrix ADC appliance as a SAML IdP by using the graphical user interface

In this article