Skip to content

Citrix ADC/Netscaler as SAML SP And Google as SAML IDP

I had a task to configure Citrix Netscaler / ADC to use SAML authentication with Google SSO. There were not instructions available for my case, as ADC would be SAML SP and Google SAML IDP. I struggled with some parts of the configuration so I wll describe the necessary tasks here.


Note that AAA feature is required, so your ADC must be licensed with "Advanced" license.

Let's assume that we already have some VIPs, backend servers and services configured. Things we need to do is listed below.

- Obtain certificates (Google IDP certificate, certificate for AAA VIP)
- Create DNS name for AAA VIP
- Create SAML server action
- Create AAA VIP
- Bind policies to Traffic Management VIP

Certificates are required so that ADC can validate Google's response using Google IDP certificate and you will need a certificate for AAA VIP, as it is running TCP 443. You can use self-signed certificate too, but then your users will see an invalid certificate warning. So it is better to use any internal/external trusted certificate :-)

After you have placed necessary key and cert files to ADC, creating certificates can be done like below:


add ssl certKey mynetscaler.example.com -cert mynetscaler.example.com.crt -key mynetscaler.example.com.key -expiryMonitor ENABLED -notificationPeriod 45
add ssl certKey "Google IDP Certification" -cert GoogleIDPCertificate.pem

I created two certificate policies, one for ADC (mynetscaler.example.com) and one for Google IDP certificate.



DNS name for AAA VIP is required so that Traffic Management VIP can redirect the user to that URL. Of course you could use an IP address too, but...


Create SAML Server Action


Let's start the configuration part by creating a SAML server action.

add authentication samlAction Google-IDP -samlIdPCertName "Google IDP Certification" -samlSigningCertName mynetscaler.example.com -samlRedirectUrl "https://accounts.google.com/o/saml2/idp?some-prefix" -samlRejectUnsignedAssertion OFF -samlIssuerName "https://mynetscaler.example.com"
add authentication Policy GoogleSAML -rule true -action Google-IDP

In this example I have created a SAML Action named Google-IDP, used "Google IDP Certification" as IDP Certification, used mynetscaler.example.com to sign the request and of course, Google SSO URL has been specified.
In the second part I have added this SAML Action to an authentication policy called GoogleSAML.


Create AAA VIP


Creating AAA VIP is fairly simple, we need to create it with an IP address 1.2.3.4, bind the SAML authentication policy GoogleSAML and SSL certificate mynetscaler.example.com:


add authentication vserver G-Suite_SAML SSL 1.2.3.4 443
bind authentication vserver G-Suite_SAML -policy GoogleSAML -priority 100 -gotoPriorityExpression NEXT
bind ssl vserver G-Suite_SAML -certkeyName mynetscaler.example.com

Bind Policies To Traffic Management VIP


Final part in the configuration is to bind the authentication policies to Traffic Management VIPs. Let's assume we have a VIP called test-vip-http. We need to bind an authentication policy to it with parameters -AuthenticationHost mynetscaler.example.com -Authentication ON:


bind lb vserver test-vip-http -AuthenticationHost mynetscaler.example.com -Authentication ON

After this I started wondering... user is authenticated but ns.log stated that user is not authorized. Of course, we need an authorization policy too! I created Authorization_Allow with statement "true" to allow all users and then used bind to attach it to the VIP:


add authorization policy Authorization_Allow true ALLOW
bind lb vserver test-vip-http -policyName Authorization_Allow -priority 100 -gotoPriorityExpression END

Now you should have a working SAML to Google! When user access your Traffic Management VIP, user is redirected to mynetscaler.example.com, which redirects user to Google. If authentication is successful, Google sends user back to AAA VIP which informs Traffic Management VIP to pass the traffic.


If you encounter any issues, ns.log is the best place to search. Following links were very helpful for me:
https://support.citrix.com/article/CTX114999
https://support.citrix.com/article/CTX228135

Trackbacks

No Trackbacks

Comments

Display comments as Linear | Threaded

No comments

Add Comment

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications.
Form options

Submitted comments will be subject to moderation before being displayed.