Product Documentation
ADC
14.1-Current Release 13.1 12.1
View PDF

Configure SAML single sign-on

April 9, 2025
Contributed by: 
C H S

To provide single sign-on capabilities across applications that are hosted on the service provider, you can configure SAML single sign-on on the SAML SP.

Configuring SAML single sign-on by using the CLI

  1. Configure the SAML SSO profile.

    Example

    In the following command, Example is the load balancing virtual server that has a web link from the SharePoint portal. Nssp.example.com is the Traffic Management virtual server that is load balancing the SharePoint server.

     add tm samlSSOProfile tm-saml-sso -samlSigningCertName nssp -assertionConsumerServiceURL "https://nssp2.example.com/cgi/samlauth" -relaystateRule "\\"https://nssp2.example.com/samlsso.html\\"" -sendPassword ON -samlIssuerName nssp.example.com

  2. Associate the SAML SSO profile with the traffic action.

    Example

    The following command enables SSO and binds the SAML SSO profile created above to a traffic action.

    add tm trafficAction html_act -SSO ON -samlSSOProfile tm-saml-sso

  3. Configure the traffic policy that specifies when the action must be run.

    Example

    The following command associates the traffic action with a traffic policy.

    add tm trafficPolicy html_pol "HTTP.REQ.URL.CONTAINS(\\"abc.html\\")" html_act

  4. Bind the traffic policy created previously to a traffic management virtual server (load balancing or content switching). Alternatively, the traffic policy can be associated globally.

    Note:

    • This traffic management virtual server must be associated with the relevant authentication virtual server that is associated with the SAML action.

    • In an nFactor setup, an authentication virtual server, which is redirected by a load balancer, cannot act as the identity provider for the back-end application.

    bind lb vserver lb1_ssl -policyName html_pol -priority 100 -gotoPriorityExpression END -type REQUEST

Configuring SAML single sign-on by using the GUI

To configure SAML single sign-on you need to define the SAML SSO profile, the traffic profile, and the traffic policy and bind the traffic policy to a traffic management virtual server or globally to the NetScaler appliance.

  1. Navigate to Security > AAA-Application Traffic > Policies > Traffic > SAML SSO Profiles and click Add.

  2. On the Create SAML SSO Profiles page, enter the values for the following fields and click Create.

    • Name: Name for the SAML SSO profile.

    • Assertion Consumer Service Url: URL to which the assertion must be sent.

    • Signing Certificate Name: Name of the SSL certificate that is used to sign assertion.

    • SP Certificate Name: Name of the SSL certificate of a peer or receiving party using which the assertion is encrypted.

    • Issuer Name: The name to be used in requests sent from NetScaler to IdP to uniquely identify NetScaler.

    • Signature Algorithm: Algorithm to be used to sign or verify SAML transactions.

    • Digest Method: Algorithm to be used to compute or verify digest for SAML transactions.

    • Audience: Audience for which an assertion sent by IdP is applicable. This is typically an entity name or url that represents a service provider.

    • Skew Time (mins): The number of minutes on either side of the current time that the assertion is valid.

    • Sign Assertion: Option to sign portions of assertion when NetScaler IdP sends one. Based on the user selection, either ASSERTION or RESPONSE or BOTH or NONE can be signed.

    • Name ID Format: Format of NameIdentifier sent in assertion.

    • Name ID Expression: Expression that is evaluated to obtain NameIdentifier to be sent in assertion.

    Create SAML profile

  3. Navigate to Security > AAA-Application Traffic > Policies > Traffic > Traffic Profiles and click Add.

  4. On the Create Traffic Profile page, enter the values for the following fields, and click Create.

    • Name: Name for the traffic action.

    • AppTimeout (minutes): Time interval, in minutes, of user inactivity after which the connection is closed.

    • Single Sign-on: Select ON.

    • SAML SSO Profile: Select the created SAML SSO profile.

    • KCD Account: Kerberos constrained delegation account name.

    • SSO User Expression: Expression that is evaluated to obtain user name for SingleSignOn.

    • SSO Password Expression: Expression that is evaluated to obtain password for SingleSignOn

    Create Traffic Profile

  5. Navigate to Security > AAA-Application Traffic > Policies > Traffic > Traffic Policies and click Add.

  6. On the Create Traffic policy page, enter the values for the following, and click Create.

    • Name: Name of the traffic policy to be created.

    • Profile: Select the created traffic profile.

    • Expression: Advanced policy expression that the policy uses to respond to specific request. For example, true.

    Click to create Traffic Policy

  7. To bind the traffic policy to a traffic management virtual server, navigate to Traffic Management > Load Balancing > Virtual Servers, select a virtual server, and click Edit.

  8. Under Advanced Settings, click Policies.

  9. Select Traffic in the Choose Policy field, select Request in the Choose Type field, and click Continue.

  10. Under Select Policy, click to select the created traffic.

  11. Click Select.

  12. Click Bind to bind the traffic policy to the virtual server.

Configure SAML single sign-on
April 9, 2025
Contributed by: 
C H S

In this article

Site feedback | Your privacy choices footer linkYour Privacy Choices | Privacy and legal terms | Cookie preferences | Consent settings | docs.cloud.com
© 1999-2025 Cloud Software Group, Inc. All rights reserved.