In current Single Sign-On (SSO) model, NetScaler picks user entered credentials for SSO.

If NetScaler could provide the flexibility to choose options with SSO username and password then this would solve problems like choosing a different username from the extracted Lightweight Directory Access Protocol (LDAP) attributes per traffic profile. Also, it can leverage the extracted attributes from Security Assertion Markup Language (SAML) and use one of the extracted attribute as username and other attribute as password for SSO to back end applications.

From NetScaler 10.5 Maintenance Release 4, NetScaler will start supporting advanced expressions in SSO. During SSO, NetScaler can determine which value to use as username and which value to use as password.

The following options are applicable for both AAA-TM and NetScaler Gateway. As part of the feature support, there are two options in traffic action:

• -userExpression

• -passwdExpression

By adding Advanced Expressions in SSO, username and password can be set:

• To any arbitrary variable as long as the Advanced Expression is available. For example, if the SSO username has to be ‘domain\username’ then –userExpression can be set to 'http.req.user.domain'+"\\"+'http.req.user.login_name'

• Based on the traffic profile.

• To values that are extracted as part of the authentication, http.req.user.attribute(1..16).

• For marshalling/unmarshalling of the data, like performing URL encode/decode, base64encode/decode on the extracted attributes.

The following are two scenarios, which can be solved using advanced expressions in SSO.

Scenario 1

NetScaler is configured for user authentication using SAML and as part of authentication NetScaler extracts FirstName and LastName from the assertion and constructs SSO UserName from it.

1. Configure an SAML action to extract FirstName and LastName from the assertion and bind SAML policy to authentication virtual server.

   NetScaler> add authentication samlAction samladfs -samlIdPCertName adfs-signing -samlSigningCertName nssp-cert -samlRedirectUrl "https://adfs.example.com/adfs/ls/" -samlUserField NameID -samlIssuerName nssp.nsi-test.com -defaultAuthenticationGroup saml_allowed -Attribute1 FirstName -Attribute2 LastName
   NetScaler> add authentication samlPolicy samladfs ns_true samladfs
   NetScaler> bind authentication vserver av1 –policy samladfs

2. Configure a traffic action and set the –userExpression to first character in FirstName and LastName.

   NetScaler> add tm trafficAction tmact1 -sso on -userExpression http.req.user.attribute(1).substr(0,1)+http.req.user.attribute(2) -passwdExpression http.req.user.passwd
   NetScaler> add tm trafficpolicy tmpol1 "http.req.url.contains(\"sharepoint.html\")" tmact1
   NetScaler> bind lb vserver lb_Sharepoint –policy tmpol1 –pr 10 

Scenario 2

Using LDAP for userauthentication and UserPrincipalName for SSO to Web Interface and using e-mail address for SSO to Exchange and ‘domain\Username’ for SSO to other applications.

NetScaler> add authentication ldapAction ldap-nsi-test -serverIP 10.217.22.241 -serverPort 389 -authTimeout 30 -ldapBase "dc=nsi-test,dc=com" -ldapBindDn Administrator@nsi-test.com -ldapBindDnPassword password - ldapLoginName samaccountname -groupAttrName memberOf -subAttributeName cn -secType SSL -ssoNameAttribute samaccountname -passwdChange ENABLED -defaultAuthenticationGroup smrtgrp2 -Attribute1 userprincipalname -Attribute2 mail 
NetScaler> add authentication ldapPolicy ldap-nsi-test ns_true ldap-nsi-test 
NetScaler> bind vpn vserver vpn1 –policy ldap-nsi-test

NetScaler> add vpn trafficaction vpn-wi-sso HTTP –sso on –userexpression http.req.user.attribute(1)
NetScaler> add vpn trafficPolicy vpn-wi-sso "REQ.HTTP.URL CONTAINS /Citrix/ageesso" vpn-wi-sso
NetScaler> bind vpn vserver vpn1 –policy vpn-wi-sso –pr 10

NetScaler> add vpn trafficaction exchange-sso HTTP -sso on -userexpression http.req.user.attribute(2) -passwdexpression http.req.user.passwd
NetScaler> add vpn trafficpolicy exchange-sso “REQ.HTTP.URL CONTAINS /owa” exchange-sso
NetScaler> bind vpn vserver vpn1 –policy exchange-sso –pr 20

NetScaler> add vpn trafficaction sso HTTP –sso on –userexpression http.REQ.USER.DOMAIN+"\\"+http.REQ.USER.LOGIN_NAME
NetScaler> add vpn trafficpolicy sso ns_true sso
NetScaler> bind vpn vserver vpn1 –policy sso –pr 30

 

The above mentioned sample code is provided to you as is with no representations, warranties or conditions of any kind. You may use, modify and distribute it at your own risk. CITRIX DISCLAIMS ALL WARRANTIES WHATSOEVER, EXPRESS, IMPLIED, WRITTEN, ORAL OR STATUTORY, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NONINFRINGEMENT. Without limiting the generality of the foregoing, you acknowledge and agree that (a) the sample code may exhibit errors, design flaws or other problems, possibly resulting in loss of data or damage to property; (b) it may not be possible to make the sample code fully functional; and (c) Citrix may, without notice or liability to you, cease to make available the current version and/or any future versions of the sample code. In no event should the code be used to support ultra-hazardous activities, including but not limited to life support or blasting activities. NEITHER CITRIX NOR ITS AFFILIATES OR AGENTS WILL BE LIABLE, UNDER BREACH OF CONTRACT OR ANY OTHER THEORY OF LIABILITY, FOR ANY DAMAGES WHATSOEVER ARISING FROM USE OF THE SAMPLE CODE, INCLUDING WITHOUT LIMITATION DIRECT, SPECIAL, INCIDENTAL, PUNITIVE, CONSEQUENTIAL OR OTHER DAMAGES, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Although the copyright in the code belongs to Citrix, any distribution of the sample code should include only your own standard copyright attribution, and not that of Citrix. You agree to indemnify and defend Citrix against any and all claims arising from your use, modification or distribution of the sample code.

This article has information about NetScaler advanced expressions support in Single Sign-On.