This article describes how to integrate RSA with Citrix NetScaler using SAML IDR SSO.

Configure RSA Cloud Authentication Service

Perform these steps to configure RSA Cloud Authentication Service as an SSO Agent SAML IdP to Citrix NetScaler.

Procedure

1. Sign in to RSA Cloud Administration Console and browse to Applications > Application Catalog.
2. Search for Citrix NetScaler and click Add to add the connector.
   
3. On the Basic Information page, choose Identity Router.
   
4. Enter a name for the application and click Next Step.
   
5. On the Connection Profile page, navigate to the Initiate SAML Workflow section.
6. Choose IdP-initiated.
   
7. Scroll down to the Identity Provider section. Note the Identity Provider URL needed for the Citrix NetScaler configuration.
   
   
   1. Identity Provider URL is automatically generated.
   2. Identity Provider Entity ID is automatically generated.
8. Import a private/public key pair to sign and validate SAML assertions. If you do not have one readily available, follow the steps to generate a certificate bundle. Otherwise, continue to the next step. Make a note of the certificate and private key as they are required for the Citrix NetScaler configuration.
   1. In the SAML Response Signature section, click Generate Certificate Bundle.
   2. Enter a common name for your Identity Router domain in the Common Name (CN) field.
   3. Click Generate and Download, save the certificate bundle ZIP file to a secure location, and extract its contents. The ZIP file contains a private key, a public certificate, and a certificate signing request.
      
9. Scroll down to the Service Provider section and enter the following details:
   1. ACS URL: The format is https://<ns_vs_hostname>/cgi/samlauth. Replace <ns_vs_hostname> with the hostname or IP address of your NetScaler virtual server, which can be obtained from the Citrix NetScaler configuration.
   2. Audience (Service Provider Entity ID): The format is https://<ns_vs_hostname>. Replace <ns_vs_hostname> with the hostname or IP address of your NetScaler virtual server, which can be obtained from the Citrix NetScaler configuration.
      
10. Scroll down to the User Identity section and select the following:
    1. Identifier Type – Email Address
    2. Identity Source – Select your user identity source
    3. Property – mail
       
11. Click Next Step.
12. On the User Access page, select the access policy that the identity router will use to determine which users can access the application.
    
13. Click Next Step.
14. On the Portal Display page, configure the portal display and other settings.
15. Click Save and Finish. 
16. Click Publish Changes and wait for the operation to be completed.
    
    After publishing, your application is now enabled for SSO. 
    

Configure Citrix NetScaler

Perform these steps to configure Citrix NetScaler.
Procedure 

1. Log on to the Citrix NetScaler Gateway web administration console.
2. Browse to Configuration > NetScaler Gateway > Policies > Authentication > SAML and click Add. 
   
3. Enter a name for the SAML Authentication Policy and click Add next to the Server drop-down menu.
   
4. Configure the SAML Authentication Server settings and click Create.
   1. Enter a Name for the Authentication SAML Server.
   2. In the Redirect URL field, enter the Identity Provider URL that was provided in the RSA Cloud Authentication Service configuration.
   3. In the IDP Certificate Name drop-down list, select the public certificate provided in the RSA Cloud Authentication Service configuration. If you have not added the certificate yet, refer to the steps in the Notes section to add it.
   4. Type mail in User Field.
      
5. On the SAML Authentication Policy page, type ns_true in the Expression field and click Create.
   
6. Navigate to Configuration > NetScaler Gateway > Virtual Servers.

   

7. Take note of the Name and IP Address of the NetScaler Virtual Server. These are needed for the RSA Cloud Authentication Service configuration.

8. Click to edit the NetScaler Gateway Virtual Server.
   

9. Click + to bind a Basic Authentication policy.
   

10. Select SAML Policy and Primary Type and click Continue.
    

11. Click > icon to select the policy.
    

12. Select the authentication policy that was configured earlier to bind it and click Select.
    

13. Set the Priority and click Bind.
    

14. Click Done. 
    

The configuration is complete.

Notes

In the NetScaler Gateway web administration console, you may not have a NetScaler virtual server initially. In this case, you will need to create your virtual server, assign it a preferred name, and assign an IP address. 

You can configure as many virtual servers as necessary, but ensure that the state of the virtual server is set to Up for proper functionality.

If you need to add a public certificate, follow these steps:

1. Navigate to Traffic Management > SSL > Certificates.
2. Click Install.
   
3. Enter a name for the certificate-key pair.
   
4. Click Choose File next to the certificate file name field. A file browser appears, allowing you to select and upload your certificate file. The public certificate file should be of the .cert type.
   
5. Select the file and click Open to confirm.
6. If you have a private key, repeat the same steps for the private key file. This field is optional and hence you may not have a private key to upload.
7. Set the Certificate Format to PEM.
8. Click Install.
   Your certificate is added and available for future use.

Return to Citrix NetScaler - RSA Ready Implementation Guide.