Citrix NetScaler - SAML Relying Party Configuration - RSA Ready Implementation Guide
a year ago

This article describes how to integrate RSA SecurID Access with Citrix NetScaler using SAML Relying Party.

  

Configure RSA Cloud Authentication Service

Perform these steps to configure RSA Cloud Authentication Service as a Relying Party to Citrix NetScaler.

Procedure

  1. Sign in to RSA Cloud Administration Console.
  2. Click Authentication Clients > Relying Parties.
  3. On the My Relying Parties page, click Add a Relying Party.
  4. On the Relying Party Catalog page, click Add for Service Provider SAML
  5. On the Basic Information page, enter a Name for the Service Provider.
  6. Click Next Step.
  7. On the Authentication page, choose SecurID Access manages all authentication.
  8. In the 2.0 Access Policy for Authentication drop-down list, select a policy that was previously configured. 
  9. Click Next Step.
  10. On the Connection Profile page, choose Enter Manually.
  11. Scroll down to the Service Provider section and enter the following details:
    1. ACS URL: The format is https://<ns_vs_hostname>/cgi/samlauth. Replace <ns_vs_hostname> with the hostname or IP address of your NetScaler virtual server, which can be obtained from the Citrix NetScaler configuration.
    2. Service Provider Entity ID: The format is <ns_vs_hostname>, where <ns_vs_hostname> represents the hostname or IP address of your NetScaler virtual server, which can be retrieved from the Citrix NetScaler configuration.
  12. Scroll down to the Message Protection section and choose IdP signs entire SAML response.
  13. Click Download Certificate to download the IDP signing certificate. Make a note of the certificate as it is required for the Citrix NetScaler configuration.
  14. Configure User Identity for NameID mapping.

    1. Identifier Type – Auto Detect
    2. Property – Auto Detect
  15. Scroll down to the Identity Provider section. Make a note of the Entity ID field value as it is needed in the Citrix NetScaler configuration. 
  16. Click Save and Finish.
  17. Click Publish Changes and wait for the operation to be completed.

Your application is now enabled for SSO. 

    

Configure Citrix NetScaler

Perform these steps to configure Citrix NetScaler.
Procedure 

  1. Log on to the Citrix NetScaler Gateway web administration console.
  2. Browse to Configuration NetScaler Gateway Policies Authentication SAML and click Add
  3. Enter a name for the SAML Authentication Policy and click Add next to the Server drop-down menu.
  4. Configure the SAML Authentication Server settings and click Create.
    1. Enter a Name for the Authentication SAML Server.
    2. In the Redirect URL field, enter the Identity Provider URL that was provided in the RSA Cloud Authentication Service configuration.
    3. In the IDP Certificate Name drop-down list, select the public certificate provided in the RSA Cloud Authentication Service configuration. If you have not added the certificate yet, refer to the steps in the Notes section to add it.
    4. Type mail in User Field.
  5. On the SAML Authentication Policy page, type ns_true in the Expression field and click Create.
  6. Navigate to Configuration > NetScaler Gateway > Virtual Servers.

  7. Take note of the Name and IP Address of the NetScaler Virtual Server. These are needed for the RSA Cloud Authentication Service configuration.

  8. Click to edit the NetScaler Gateway Virtual Server.

  9. Click + to bind a Basic Authentication policy.

  10. Select SAML Policy and Primary Type and click Continue.

  11. Click > icon to select the policy.

  12. Select the authentication policy that was configured earlier to bind it and click Select.

  13. Set the Priority and click Bind.

  14. Click Done

 

The configuration is complete.

    

Notes

In the NetScaler Gateway web administration console, you may not have a NetScaler virtual server initially. In this case, you will need to create your virtual server, assign it a preferred name, and assign an IP address. 

You can configure as many virtual servers as necessary, but ensure that the state of the virtual server is set to UP for proper functionality.

If you need to add a public certificate, follow these steps:

  1. Navigate to Traffic Management > SSL > Certificates.
  2. Click Install.
  3. Enter a name for the certificate-key pair.
  4. Click Choose File next to the certificate file name field. A file browser appears, allowing you to select and upload your certificate file. The public certificate file should be of the .cert type.
  5. Select the file and click Open to confirm.
  6. If you have a private key, repeat the same steps for the private key file. This field is optional and hence you may not have a private key to upload.
  7. Set the Certificate Format to PEM.
  8. Click Install.
    Your certificate is added and available for future use.

 

Return to Citrix NetScaler - RSA Ready Implementation Guide.

Don't see what you're looking for?