How to Configure SAML SSO Authentication between NetScaler Gateway and Load Balancing Virtual Servers
Article ID: CTX138988
Updated On:
Description
This article describes how to configure SAML SSO authentication between NetScaler Gateway and load balancing virtual server.
If a NetScaler Gateway virtual server is configured with the SSO feature for published applications and one of the applications published in XenApp is a link to a web application that is load balanced on a NetScaler appliance, then NetScaler Gateway virtual server triggers SAML SSO to the load balancing virtual server.
Note: NetScaler Gateway and load balancing virtual servers can be on different NetScaler appliances or on the same appliance. This solution works as long as the load balancing virtual server is accessible to the user.
Load balancing virtual server must be in a protected network on port 443 and enabled for authentication.The attached PDF provides additional steps concerning the procedures within the article from a Graphical User Interface.
Instructions
| The steps to configuring SAML SSO authentication between the NetScaler Gateway and load balancing virtual server: | |
|---|---|
| 1. | User logs on to the NetScaler Gateway with user name and password, NetScaler Gateway virtual server verifies the credentials and creates a NetScaler Gateway session. |
| 2. | The NetScaler Gateway virtual server creates an ICA session and applies the SSO feature to the Citrix Web Interface. |
| 3. | User selects a published application and opens it. This application is a link to load balancing virtual server, which is load balancing the actual application server. |
| 4. | When the user opens the published application, the request passes through the NetScaler Gateway virtual server because it is a CVPN URL. The NetScaler Gateway virtual server verifies the traffic policy that requests for an SAML SSO. The NetScaler Gateway virtual server generates an SAML response with the user name and password, and complete assertion is signed. The SAML response is sent to the user with a 302 response to the load balancing virtual server. |
| 5. | The SAML response is directly sent to the load balancing virtual server. |
| 6. | After the load balancing virtual server receives the SAML response, the virtual server decodes the response and verifies the signature using the SigningCertificate. After the SAML token is verified, load balancing virtual server creates a Traffic Management session. |
| 7. | The load balancing virtual server sends the request for /myphp/abc.html to the Web server. |
| 8. | The Web server then sends a 200 OK response with the HTML form. |
| 9. | The load balancing virtual server verifies the traffic policy, evaluates FORMSSO profile, and triggers a SSO using the user credentials. |
| 10. | Web server sends a 200 OK response with the content to the load balancing virtual server. |
| 11. | The load balancing virtual server forwards the response to the user. |
After completing the steps, you should be able to configure SSO between two virtual servers.
Note: The Server and Root Certificate is required to be configured before following the steps in the article.
Refer to the article for additional information: CTX202168 - How to Create and Bind Certificates to a NetScaler Gateway Virtual Server
Note: The Command-Line User Interface parameters listed in the article will work for NetScaler 10.x and 11.x.
To configure SAML SSO authentication between NetScaler Gateway and load balancing virtual server, complete the following procedure:
| 1. Configuring SSO on NetScaler Gateway  | 2. Creating AAA vServer Binding SAML Policy  | 3. Creating Load Balancing | 4. Publishing Web Application |
Configuring NetScaler Gateway Virtual Server for SSO to Published Applications
To configure NetScaler Gateway virtual server for SSO to published application, complete the following procedure:-
Run the following command from the command line interface of the appliance to create a VPN virtual server:
add vpn vserver vpn3 SSL 10.217.28.226 443 -maxAAAUsers 1000 -icaOnly ON -
Run the following command to bind the SSL certificates:
bind ssl vserver vpn3 -certkeyName nsslvpn-2
bind ssl vserver vpn3 -certkeyName nsi-ca -CA -ocspCheck Optional -
Run the following command to bind LDAP policies:
bind vpn vserver vpn3 -policy lb_ldap_1 -priority 110 -
Run the following command to bind the session profile:
add vpn sessionAction PRO-SDC_ccapps.example1.org -SSO ON -icaProxy ON -wihome "http://xenapp1.example.com/Citrix/nsslvpn" -ntDomain example.com
add vpn sessionPolicy POL-SDC_ccapps.example1.org ns_true PRO-SDC_ccapps.example1.org
bind vpn vserver vpn3 -policy POL-SDC_ccapps.example1.org -
Run the following command to bind the STA server:
bind vpn vserver vpn3 -staServer http://xenapp1.example.com:8080/scripts/ctxsta.dll -
Run the following command to create the VPN SAML SSO profile:
add vpn samlSSOProfile vpn-saml-sso1 -samlSigningCertName nssp -assertionConsumerServiceURL "https://nssp.example.com/cgi/samlauth" -relaystateRule
"\"https://nssp.example.com/myphp/abc.html\"" -samlIssuerName nsslvpn.example.com –sendpassword ON
Note: Here nssp.example.com is a load balancing virtual server that you will be creating in the later section and /myphp/abc.html is the application residing on application server.
For SAML SSO profile, you should specify the ACS URL, relaystate value and signing certificate. This signing certificate must be provided at the receiving side to verify the signature. Refer to Creating AAA Virtual Server and Binding the SAML Policy.
Run the following command to create a traffic policy by using SAMLSSO profile:
add vpn trafficAction vpn-traffic1 http -appTimeout 10 -SSO ON -samlSSOProfile vpn-saml-sso1
add vpn trafficPolicy vpn-traffic1 "REQ.HTTP.URL CONTAINS abc.html" vpn-traffic2
bind vpn vs vpn3 –policy vpn-traffic1 –priority 100
Creating AAA Virtual Server and Binding the SAML Policy
Run the following commands to create a AAA virtual server and to bind it to the SAML policy:add authentication samlAction samlssoact1 -samlIdPCertName nssp -samlRedirectUrl https://auth1.example.com
add authentication samlPolicy samlssoact1 ns_true samlssoact1
bind authentication vserver av_saml -policy samlssoact1
Creating a Load Balancing Virtual Server to the Application Server
To create a load balancing virtual server to the application server, complete the following procedure:-
Run the following command to add a load balancing virtual server and bind it to the AAA virtual server:
add lb vserver lb1_ssl SSL 10.217.28.224 443 -persistenceType NONE -cltTimeout 180 -AuthenticationHost auth1.example.com -Authentication ON -authnVsName av_saml -
Run the following command to create a Traffic Management policy for FORM SSO to the application server:
add tm formSSOAction html_formaction -actionURL "/MYPHP/auth.php" -userField username -passwdField password -ssoSuccessRule "HTTP.RES.STATUS.EQ(200)" -submitMethod POST
add tm trafficAction html_pol -SSO ON -formSSOAction html_formaction
add tm trafficPolicy html_pol "HTTP.REQ.URL.CONTAINS(\"abc.html\")" html_pol - Run the following command to bind the Traffic Management policy to the load balancing virtual server :
Publishing a Web Application at the XenApp Site
When you configure a published application at the XenApp site, ensure that the Content Address is specified correctly. For example, in this article the web application is /myphp/abc.html and it is configured as https://nsslvpn.example.com/cvpn/https/nssp.example.com/myphp/abc.html.| Sample Screen Shots for Publishing a Web Application | |
|---|---|
| 1. |  |
| 2. |  |
| 3. |  |
| 4. |  |
After the configuration of the NetScaler appliance and the XenApp site, the users will be able to logon to the VPN virtual server and launch a published application.
Top of Page
Issue/Introduction
Additional Information
If you have configured a NetScaler AAA TM enabled virtual server with SSO to a SharePoint server with some web links in the SharePoint portal load balanced on the Traffic Management virtual server, then you need to configure a Traffic Management SAMLSSO profile instead of the VPN SAMLSSO profile. You must then bind the profile to the load balancing virtual server.
Run the following command to add a Traffic Management SAMLSSO profile:
add tm samlSSOProfile tm-saml-sso -samlSigningCertName nssp -assertionConsumerServiceURL "https://nssp2.example.com/cgi/samlauth" -relaystateRule "\"https://nssp2.example.com/samlsso.html\"" -sendPassword ON -samlIssuerName nssp.example.com
In the preceding command, https://nssp2.example.com is the load balancing virtual server that has a web link from the SharePoint portal. Nssp.example.com is the Traffic Management virtual server which is load balancing the SharePoint server.
CTX233026 - [NetScaler Gateway Trace Study] – NetScaler Gateway SAML Authentication to StoreFront
