NetScaler as an OAuth SP
The authentication, authorization, and auditing traffic management feature supports OAuth authentication for authenticating users to applications that are hosted on applications such as Google, Facebook, and Twitter.
Points to note
- NetScaler Advanced Edition and higher is required for the solution to work.
- OAuth on NetScaler is qualified for all SAML IdPs that are compliant with “OpenID connect 2.0”.
Important:
NetScaler might respond with a CSRF error when a content-heavy website sends multiple authentication requests on session expiry. As a workaround, it is recommended that when you configure the OAuth policy, ensure that the policy is configured for both the host name and the path which are the main entry points.
Configure OAuth by using the GUI
-
Configure the OAuth action and policy.
Navigate to Security > AAA - Application Traffic > Policies > Authentication > Advanced Policies > Policy, and create a policy with OAuth as the action type, and associate the required OAuth action with the policy.
-
Associate the OAuth policy with an authentication virtual server.
Navigate to Security > AAA - Application Traffic > Virtual Servers, and associate the OAuth policy with the authentication virtual server.
Note:
Attributes (1 to 16) can be extracted in the OAuth response. Currently these attributes are not evaluated. They are added for the future reference.
Configure OAuth by using the CLI
-
Define an OAuth action.
add authentication OAuthAction <name> [-OAuthType <OAuthType>] [-authorizationEndpoint <URL>] [-tokenEndpoint <URL>] [-idtokenDecryptEndpoint <URL>] [-clientID <string>][-clientSecret ] [-defaultAuthenticationGroup <string>] [-Attribute1 <string>] [-Attribute2 <string>] [-Attribute3 <string>] [-Attributes <string>] [-tenantID <string>] [-GraphEndpoint <string>] [-refreshInterval <positive_integer>] [-CertEndpoint <string>][-audience <string>] [-userNameField <string>] [-skewTime <mins>] [-issuer <string>] [-UserInfoURL <URL>] [-CertFilePath <string>] [-grantType ( CODE | PASSWORD )] [-authentication ( ENABLED | DISABLED )] [-introspectURL <URL>][-allowedAlgorithms <allowedAlgorithms> ...] [-PKCE ( ENABLED | DISABLED )] [-tokenEndpointAuthMethod <tokenEndpointAuthMethod>] [-metadataUrl <URL>] [-resourceUri <URL>] <!--NeedCopy-->
-
Associate the action with an advanced authentication policy.
add authentication Policy <name> -rule <expression> -action <string> <!--NeedCopy-->
Example:
add authentication oauthAction a -authorizationEndpoint https://example.com/ -tokenEndpoint https://example.com/ -clientiD sadf -clientsecret df <!--NeedCopy-->
For more information on authentication OAuthAction parameters, see authentication OAuthAction.
Note:
When a certEndpoint is specified, NetScaler polls that endpoint at the configured frequency to learn the keys.
To configure a NetScaler to read the local file and parse keys from that file, a new configuration option is introduced as follows:
set authentication OAuthAction <name> -CertFilePath <path to local file with jwks>
<!--NeedCopy-->
OAuth feature now supports the following capabilities in the token API from the Relying Party (RP) side and from the IdP side of NetScaler Gateway and NetScaler.
-
PKCE (Proof Key for Code Exchange) support
-
Support for client_assertion
Name-value attribute support for OAuth authentication
You can now configure OAuth authentication attributes with a unique name along with the values. The names are configured in the OAuth action parameter either as “Attributes” and the values are obtained by querying for the names. The extracted attributes are stored in the authentication, authorization, and auditing session. Admins can query these attributes either using http.req.user.attribute("attribute name")
or http.req.user.attribute(1)
, based on the chosen method of specifying attribute names.
By specifying the name of the attribute, admins can easily search for the attribute value associated with that attribute name. Also, admins no longer have to remember the “attribute1 to attribute16” by its number alone.
Important
In an OAuth command, you can configure a maximum of 64 attributes separated by comma with a total size less than 1024 bytes.
Note
The session failure can be avoided if the total value size of “attribute 1 to attribute 16” and the values of attributes specified in “Attributes” are not more than 10 KB.
To configure the name-value attributes by using the CLI
At the command prompt, type:
add authentication OAuthAction <name> [-Attributes <string>]
set authentication OAuthAction <name> [-Attributes <string>]
<!--NeedCopy-->
Examples:
add authentication OAuthAction a1 –attributes "email,company" –attribute1 email
set authentication OAuthAction oAuthAct1 -attributes "mail,sn,userprincipalName"
<!--NeedCopy-->