ADC

Use an on-premises NetScaler Gateway as the identity provider for Citrix Cloud

Citrix Cloud supports using an on-premises NetScaler Gateway as an identity provider to authenticate subscribers signing in to their workspaces.

By using NetScaler Gateway authentication, you can:

  • Continue authenticating users through your existing NetScaler Gateway so they can access the resources in your on-premises Virtual Apps and Desktops deployment through Citrix Workspace.
  • Use the NetScaler Gateway authentication, authorization, and auditing functions with Citrix Workspace.
  • Provide your users access to the resources they need through Citrix Workspace using features such as pass-through authentication, smart cards, secure tokens, conditional access policies, federation.

NetScaler Gateway authentication is supported for use with the following product versions:

  • NetScaler Gateway 13.0 41.20 Advanced edition or later
  • NetScaler Gateway 12.1 54.13 Advanced edition or later

Prerequisites

  • Cloud Connectors - You need at least two servers on which to install the Citrix Cloud Connector software.

  • Active Directory - Perform the necessary checks.

  • NetScaler Gateway requirements

    • Use advanced policies on the on-premises gateway due to deprecation of classic policies.

    • When configuring the Gateway for authenticating subscribers to Citrix Workspace, the gateway acts as an OpenID Connect provider. Messages between Citrix Cloud and Gateway conform to the OIDC protocol, which involves digitally signing tokens. Therefore, you must configure a certificate for signing these tokens.

    • Clock synchronization - The Gateway must be synchronized to NTP time.

For details, see Prerequisites.

Create an OAuth IdP policy on the on-premises NetScaler Gateway

Important:

You must have generated the client ID, secret, and redirect URL in the Citrix Cloud > Identity and Access Management > Authentication tab. For details, see Connect an on-premises NetScaler Gateway to Citrix Cloud.

Creating an OAuth IdP authentication policy involves the following tasks:

  1. Create an OAuth IdP profile.

  2. Add an OAuth IdP policy.

  3. Bind the OAuth IdP policy to an authentication virtual server.

  4. Bind the certificate globally.

Creating an OAuth IdP profile by using the CLI

At the command prompt, type;

add authentication OAuthIDPProfile <name> [-clientID <string>][-clientSecret ][-redirectURL <URL>][-issuer <string>][-audience <string>][-skewTime <mins>] [-defaultAuthenticationGroup <string>]

add authentication OAuthIdPPolicy <name> -rule <expression> [-action <string>] [-undefAction <string>] [-comment <string>][-logAction <string>]

add authentication ldapAction <name> -serverIP <IP> -ldapBase "dc=aaa,dc=local"

ldapBindDn <administrator@aaa.local> -ldapBindDnPassword <password> -ldapLoginName sAMAccountName

add authentication policy <name> -rule <expression> -action <string>

bind authentication vserver auth_vs -policy <ldap_policy_name> -priority <integer> -gotoPriorityExpression NEXT

bind authentication vserver auth_vs -policy <OAuthIDPPolicyName> -priority <integer> -gotoPriorityExpression END

bind vpn global -certkeyName <>
<!--NeedCopy-->

Creating an OAuth IdP profile by using the GUI

  1. Navigate to Security > AAA – Application Traffic > Policies > Authentication > Advanced Policies > OAuth IDP.

  2. In the OAuth IDP page, select the Profiles tab and click Add.

  3. Configure the OAuth IdP profile.

    Note:

    • Copy and paste the client ID, secret, and Redirect URL values from the Citrix Cloud > Identity and Access Management > Authentication tab to establish the connection to Citrix Cloud.

    • Enter the Gateway URL correctly in the Issuer Name Example: https://GatewayFQDN.com

    • Also copy and paste the client ID in the Audience field as well.

    • Send Password: Enable this option for single sign-on support. This option is disabled by default.

  4. On the Create Authentication OAuth IDP Profile screen, set values for the following parameters and click Create.

    • Name: Name of the authentication profile. Must begin with a letter, number, or the underscore character (_). Name must contain only letters, numbers, and the hyphen (-), period (.) pound (#), space ( ), at (@), equals (=), colon (:), and underscore characters. Cannot be changed after the profile is created.
    • Client ID: Unique string that identifies SP. Authorization server infers client configuration using this ID. Maximum Length: 127.
    • Client Secret: Secret string established by user and authorization server. Maximum Length: 239.
    • Redirect URL: Endpoint on SP to which code/token has to be posted.
    • Issuer Name: Identity of the server whose tokens are to be accepted. Maximum Length: 127. Example: https://GatewayFQDN.com
    • Audience: Target recipient for the token sent by IdP. This token is checked by the recipient.
    • Skew Time: This option specifies the allowed clock skew (in minutes) that NetScaler allows on an incoming token. For example, if skewTime is 10, then the token would be valid from (current time - 10) min to (current time + 10) min, that is 20 min in all. Default value: 5.
    • Default Authentication Group: A group added to the session internal group list when this profile is chosen by IdP which can be used in nFactor flow. It can be used in the expression (AAA.USER.IS_MEMBER_OF(“xxx”)) for authentication policies to identify relying party related nFactor flow. Maximum Length: 63

    A group is added to the session for this profile to simplify policy evaluation and help in customizing policies. This group is the default group that is chosen when the authentication succeeds in addition to the extracted groups.

    • Relying Party Metadata URL: Endpoint at which the NetScaler IdP can get details about the relying party being configured. The metadata response must include endpoints for the jwks_uri for RP public keys. Maximum length is 255.
    • Refresh Interval: The interval at which the relying party metadata is refreshed. The default interval is 50.
    • Encrypt Token: When you select this option, the token sent by NetScaler is encrypted.
    • Signature Service: Name of the cloud service that is used to sign the data. This is applicable only if the signature if offloaded to cloud.
    • Attributes: Name-Value pairs of the attributes to be inserted in the ID token. Maximum length is 1047 characters.
    • Send Password: Select this option to send the encrypted password in the ID token.
  5. Click Policies and click Add.

  6. On the Create Authentication OAuth IDP Policy screen, set values for the following parameters and click Create.

    • Name – The name of the authentication policy.
    • Action – Name of profile created earlier.
    • Log Action – Name of the message log action to use when a request matches this policy. Not a mandatory filed.
    • Undefined-Result Action – Action to perform if the result of policy evaluation is undenfined(UNDEF). Not a mandatory field.
    • Expression – Default syntax expression that the policy uses to respond to specific request. For example, true.
    • Comments – Any comments about the policy.

Note:

When sendPassword is set to ON (OFF by default), user credentials are encrypted and passed through a secure channel to Citrix Cloud. Passing user credentials through a secure channel allows you to enable SSO to Citrix Virtual Apps and Desktops upon launch.

Binding the OAuthIDP policy and LDAP policy to the authentication virtual server

  1. Navigate to Configuration > Security > AAA-Application Traffic > Policies >Authentication > Advanced Policies > Actions > LDAP.

  2. On LDAP Actions screen, click Add.

  3. On the Create Authentication LDAP Server screen, set the values for the following parameters, and click Create.

    • Name – The name of the LDAP action
    • ServerName/ServerIP – Provide FQDN or IP of the LDAP server
    • Choose appropriate values for Security Type, Port, Server Type, Time-Out
    • Make sure Authentication is checked
    • Base DN – Base from which to start LDAP search. For example, dc=aaa,dc=local.
    • Administrator Bind DN: User name of the bind to LDAP server. For example, admin@aaa.local.
    • Administrator Password/Confirm Password: Password to bind LDAP
    • Click Test Connection to test your settings.
    • Server Logon Name Attribute: Choose “sAMAccountName”
    • Other fields are not mandatory and hence can be configured as required.
  4. Navigate to Configuration > Security > AAA-Application Traffic > Policies >Authentication > Advanced Policies > Policy.

  5. On the Authentication Policies screen, click Add.

  6. On the Create Authentication Policy page, set the values for the following parameters, and click Create.

    • Name – Name of the LDAP Authentication Policy.
    • Action Type – Choose LDAP.
    • Action – Choose the LDAP action.
    • Expression – Default syntax expression that the policy uses to respond to specific request. For example, true**.

Store Authentication Context Class Reference values

NetScaler configured as an on-premises IdP can store Authentication Context Class Reference (ACR) values provided by Citrix Workspace to support the multi-domain login feature of Citrix Workspace Platform (WSP).

When Citrix Workspace sends the ACR values to the OAuth authorization endpoint of the NetScaler IdP, NetScaler stores the ACR values. You can use these ACR values to determine the next factor in the nFactor flow.

The OAuth IdP authorization endpoint /oauth/idp/ login receives a query with the ACR value parameter in the below format. NetScaler stores the ACR value in the user sessions attribute.

GET /oauth/idp/login?response_type=code&scope=openid%20profile%20ctxs_cc&acr_values=device_id:69eec3333333333+wsp:wspmultiurlmain.cloud.com&client_id=test&redirect_uri=https%3A%2F%2Fav6.aaa.local%2Foauth%2Flogin&state=Y3R4PXlFYkpFdEJOeDFLN0hUY2VCc1pBOGc2RjU3d21PcjJ2aXprZkhFSkdBTzVVTzM4eEZBUW1qTEFwR25DSE&code_challenge_method=S256&code_challenge=IJgD-qaJZdhuGt3m262BjjMXrFTOwioV6uSBA-uIY18

In the above example, the ACR value parameter is acr_values=device_id:69eec3333333333+wsp:wspmultiurlmain.cloud.com.

Following are the expression examples of how you can use ACR values in an nFactor flow.

  • To retrieve the WSP URL, use the expression aaa.user.wsp.eq("URL") in your policy configuration.

    For example,

    add authentication policy wsp_check -rule aaa.user.wsp.eq("wspmultiurlmain.cloud.com ") -action ldap-act

  • To retrieve the device ID from the ACR value parameter, use the expression aaa.user.acr_values.value("device_id").eq(value) in your policy configuration.

    For example,

    add authentication policy acr_value_check -rule aaa.user.acr_values.value("device_id").eq("69eec3333333333") -action ldap-act

  • To retrieve the WSP value from the ACR value parameter, use the expression aaa.user.acr_values.value("wsp").eq("URL") in your policy configuration.

    For example,

    add authentication policy acr_value_check -rule aaa.user.acr_values.value("wsp").eq("wspmultiurlmain.cloud.com") -action ldap-act

Use an on-premises NetScaler Gateway as the identity provider for Citrix Cloud