This article describes how to set up Active Directory Federation Services (ADFS) to integrate with NetScaler, test issues with SAML authentication using ADFS and exposes you to SAML authentication with NetScaler Gateway.

Requirements

• Install Windows 2008 SP1 R2 configured in a domain
• 2008 R2 with SP1 installed in existing domain

Instructions

Active Directory Federation Services

Install ADFS on Windows

Complete the following procedure:

1. Install IIS.
2. Install certificate and make it available in IIS.
3. Download a copy of ADFS 2.0 for Windows 2008 R2 SP1 from Microsoft Download Center. 
4. Accept the License agreement and click Next.
5. Ensure that Federation Server is selected and click Next.
6. Select Start the AD FS 2.0 Management snap-in when the wizard closes check-box and click Finish.

Configure ADFS Using the GUI

Complete the following steps to configure ADFS using GUI:

1. Click AD FS 2.0 Federation Server Configuration Wizard link.
2. Select Create a new Federation Service option and click Next.
3. Select the Stand-alone federation server option and click Next.
4. If using a wildcard certificate, change the Federation Service Name to use a valid FQDN of your ADFS server.
5. Set the Federation Service Name to the FQDN of your ADFS server and click Next. 
   •  You can see the status of the configuration in the Configuration Results page.
   • Click Next.
6. Click Close.
7. After installation, go to AD FS 2.0 > Service > Certificates.
8. Ensure the Token-decrypting and Token-signing certificates are trusted by installing them.
9. Export the Token-signing certificate as this needs to be installed on the NetScaler device. To do this, complete the following procedure:
   • To export the certificate, select the Token-signing certificate and click View certificate.
   • Click the Details tab and click Copy to file.
   • Click Next on the Certificate Export Wizard screen.
   • Save the file as Base-64 encoded X.509.
   • Note: As this file needs to be imported to NetScaler, ensure it is accessible.
   • Click Certificate.
   • Validate the information within the certificate and click OK.

Configure the Relying Party Trusts

• Go to AD FS 2.0 > Trust Relationships > Relying Party Trusts. 
• Click Add Relying Party Trust.

The metadata.xml file must be imported, for which the following is an example.
Note: If using an editor to modify the file, ensure that the file is saved using utf-8 encoding.
Sample Metadata file explained 

Green is the NetScaler VIP
Blue is the ADFS server FQDN
Yellow is the extracted content of the signing certificate used by the NetScaler VIP.

<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="_724200788f8391f96053f72adc628fecc808d099" entityID="https://adfs10.reklawpw.com">
 
  <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:1.0:protocol">
    <md:Extensions>
      <init:RequestInitiator xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Binding="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Location="https://ftlrpaulwadfs.reklawpw.com/adfs/ls"/>
   </md:Extensions>
    <md:KeyDescriptor>
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:KeyName>adfs10.reklawpw.com</ds:KeyName>
        <ds:X509Data>
          <ds:X509SubjectName>CN=adfs10.reklawpw.com</ds:X509SubjectName>
          <ds:X509Certificate>
MIIFhDCCBGygAwIBAgIKEUDVPwAAAAAAAjANBgkqhkiG9w0BAQUFADBUMRMwEQYK
CZImiZPyLGQBGRYDY29tMRgwFgYKCZImiZPyLGQBGRYIcmVrbGF3cHcxIzAhBgNV
BAMTGnJla2xhd3B3LUZUTFJQQVVMVy1EQzJBLUNBMB4XDTEyMDYyNjA0MTEwMVoX
DTE0MDYyNjA0MTEwMVowazELMAkGA1UEBhMCVVMxEDAOBgNVBAgTB2Zsb3JpZGEx
GDAWBgNVBAcTD2ZvcnQgbGF1ZGVyZGFsZTEXMBUGA1UEChMOY2l0cml4IHN1cHBv
cnQxFzAVBgNVBAMUDioucmVrbGF3cHcuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEA1zbPGdowk7IZ90b0r22Ood1mY+yJjcxJqz7G6mxmq773ce/U
ZkBOvEYJyvTxpA8+kb40YCkCbNN6JwPIyIMA9nRbfmlG2eXqbhGDciCxhes+IfTU
yRiTSGC14rEnqhnUOzNzTdEhgztIwDAqTzSj3QqaOJ2d1ztIqlg9QjWX8QTlnTIF
nboex+LW+gC/4K3vZaIocLGCOe5cG63o4Bxa95PgvoTpiVkrrLJ2thqeWO7inVz+
PGsslb50Mj5ZETZioGda8woFrAMoq31DXCr5W2g9m0Fbk1Own2wzZz+L+LYkq8yi
3GXY9a665E1w1zEUSvvvNhLC0IkloRWMWEUFXQIDAQABo4ICPzCCAjswHQYDVR0O
BBYEFI0ghFLrzwiFGOZ42U7eRb/455mcMB8GA1UdIwQYMBaAFKcP8ugm6Mg3NMO/
i7xo4DRD4XWGMIHgBgNVHR8EgdgwgdUwgdKggc+ggcyGgclsZGFwOi8vL0NOPXJl
a2xhd3B3LUZUTFJQQVVMVy1EQzJBLUNBLENOPWZ0bHJwYXVsdy1kYzJhLENOPUNE
UCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25m
aWd1cmF0aW9uLERDPXJla2xhd3B3LERDPWNvbT9jZXJ0aWZpY2F0ZVJldm9jYXRp
b25MaXN0P2Jhc2U/b2JqZWN0Q2xhc3M9Y1JMRGlzdHJpYnV0aW9uUG9pbnQwgc0G
CCsGAQUFBwEBBIHAMIG9MIG6BggrBgEFBQcwAoaBrWxkYXA6Ly8vQ049cmVrbGF3
cHctRlRMUlBBVUxXLURDMkEtQ0EsQ049QUlBLENOPVB1YmxpYyUyMEtleSUyMFNl
cnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9cmVrbGF3cHcs
REM9Y29tP2NBQ2VydGlmaWNhdGU/YmFzZT9vYmplY3RDbGFzcz1jZXJ0aWZpY2F0
aW9uQXV0aG9yaXR5MCEGCSsGAQQBgjcUAgQUHhIAVwBlAGIAUwBlAHIAdgBlAHIw
DgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEB
BQUAA4IBAQCTqrTL42io/0kgWFS+2O5DfbdxfXNYAvNqxvybFqAEGGVkpYQvLHMp
qtOjcC1UQ3Bdfn1jgsxQPD+ftkarxQtPqVfUOt9iUesvFkF/XuDgHoyiUpA2ojAs
zjXQHl2SZX+Eu6rwGN+BXVFo8rMcZVHW58VYHfMqVwW58OT9h+uC/IljwgmO+ppy
X4QeNIqUpNO6BkqU9WGIB903i3odorGpZcFUUMDa5ISLqpaUOPFjKXarl8L6cRmN
EETDQDpVtcVf6YSIlZko+DSI0i5A2IGfh1QHcDIawn4KJKTdlEIpDzvYy7k/w1+/
L9t9K2EfvaGzuFGGQrjNWA7UWDZ3k/+O
</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://adfs10.reklawpw.com/cgi/samlauth" index="0"/>
  
  </md:SPSSODescriptor>
 
</md:EntityDescriptor>

• Click Start.
• Click Import data about the relying party from a file and click browse button to select the saved metadata.xml file.
• After selecting the file as shown in the following screen shot, click Next.
• Provide a valid Display Name and click Next.
• Select Permit all users to access this relying Party and then click Next.
• Click Next.
• Click Close.
• This opens the Edit Claim Rules screen as shown in the following screen shot. To define the Claim rules, click Add Rule. 
• Select the Send LDAP attributes as Claims from the claim rule template drop-down and then click Next.
• Enter a name in the Claim rule name field. Select Active Directory from the Attribute store field. Set the following Mapping of LDAP attributes and click Finish.
• Click OK.
• Right-click the newly created Relying Party Trusts and select Properties.
• Go to Identifiers tab and modify the existing relying party identifier to include https in front of the URL. 
• Select the Encryption tab and click Remove to delete the encryption certificate.
• Click the Advanced tab and set the Secure hash Algorithm to SHA-1. Click OK to save the changes.

NetScaler

Install the ADFS signing token certificate as a certificate on the NetScaler. Remember this was the certificate that was exported from the ADFS server in the preceding steps. 

Add the SAML Profile and Policy

1. Go to NetScaler Gateway > Policies > Authentication > SAML.

2. Click Servers tab and click Add. Define the SAML server as shown in the following screen shot.

• Dark blue is the ADFS signing token certificate that was installed.
• Yellow is the ADFS server redirect URL.
• Purple is the claims mapping that was set when creating the Claims rule.
• Red is the certificate associated with the NetScaler VIP and also the certificate that appears in the metadata.xml file.
• Light Blue is the NetScaler VIP that users will access. In this case, following is the NetScaler Gateway virtual server FQDN. 

Create the SAML Policy

1. Document the name of the Authentication Policy.
2. Bind the SAML policy to the NetScaler VIP. In this case, it was a NetScaler Gateway virtual server.