I had a task to configure Citrix Netscaler / ADC to use SAML authentication with Google SSO. There were not instructions available for my case, as ADC would be SAML SP and Google SAML IDP. I struggled with some parts of the configuration so I wll describe the necessary tasks here.
Note that AAA feature is required, so your ADC must be licensed with "Advanced" license.
Let's assume that we already have some VIPs, backend servers and services configured. Things we need to do is listed below.
- Obtain certificates (Google IDP certificate, certificate for AAA VIP)
- Create DNS name for AAA VIP
- Create SAML server action
- Create AAA VIP
- Bind policies to Traffic Management VIP
Certificates are required so that ADC can validate Google's response using Google IDP certificate and you will need a certificate for AAA VIP, as it is running TCP 443. You can use self-signed certificate too, but then your users will see an invalid certificate warning. So it is better to use any internal/external trusted certificate
After you have placed necessary key and cert files to ADC, creating certificates can be done like below:
add ssl certKey mynetscaler.example.com -cert mynetscaler.example.com.crt -key mynetscaler.example.com.key -expiryMonitor ENABLED -notificationPeriod 45
add ssl certKey "Google IDP Certification" -cert GoogleIDPCertificate.pem
I created two certificate policies, one for ADC (mynetscaler.example.com) and one for Google IDP certificate.
DNS name for AAA VIP is required so that Traffic Management VIP can redirect the user to that URL. Of course you could use an IP address too, but...
Create SAML Server Action
Let's start the configuration part by creating a SAML server action.
add authentication samlAction Google-IDP -samlIdPCertName "Google IDP Certification" -samlSigningCertName mynetscaler.example.com -samlRedirectUrl "https://accounts.google.com/o/saml2/idp?some-prefix" -samlRejectUnsignedAssertion OFF -samlIssuerName "https://mynetscaler.example.com"
add authentication Policy GoogleSAML -rule true -action Google-IDP
In this example I have created a SAML Action named Google-IDP, used "Google IDP Certification" as IDP Certification, used mynetscaler.example.com to sign the request and of course, Google SSO URL has been specified.
In the second part I have added this SAML Action to an authentication policy called GoogleSAML.
Create AAA VIP
Creating AAA VIP is fairly simple, we need to create it with an IP address 220.127.116.11, bind the SAML authentication policy GoogleSAML and SSL certificate mynetscaler.example.com:
add authentication vserver G-Suite_SAML SSL 18.104.22.168 443
bind authentication vserver G-Suite_SAML -policy GoogleSAML -priority 100 -gotoPriorityExpression NEXT
bind ssl vserver G-Suite_SAML -certkeyName mynetscaler.example.com
Bind Policies To Traffic Management VIP
Final part in the configuration is to bind the authentication policies to Traffic Management VIPs. Let's assume we have a VIP called test-vip-http. We need to bind an authentication policy to it with parameters -AuthenticationHost mynetscaler.example.com -Authentication ON:
bind lb vserver test-vip-http -AuthenticationHost mynetscaler.example.com -Authentication ON
After this I started wondering... user is authenticated but ns.log stated that user is not authorized. Of course, we need an authorization policy too! I created Authorization_Allow with statement "true" to allow all users and then used bind to attach it to the VIP:
add authorization policy Authorization_Allow true ALLOW
bind lb vserver test-vip-http -policyName Authorization_Allow -priority 100 -gotoPriorityExpression END
Now you should have a working SAML to Google! When user access your Traffic Management VIP, user is redirected to mynetscaler.example.com, which redirects user to Google. If authentication is successful, Google sends user back to AAA VIP which informs Traffic Management VIP to pass the traffic.