When you configure SAML authentication,you create the following settings:

• IdP Certificate Name. This is the public key that corresponds to the private key at the IdP.
• Redirect URL. This is the URL of the authentication IdP. Users who are not authenticated are redirected to this URL.
• User Field. You can use this field to extract the user name if the IdP sends the user name in a different format than theNameIdentifier tag of the Subject tag. This is an optional setting.
• Signing Certificate Name. This is the private key of the NetScaler Gateway server that is used to sign the authentication request to the IdP. If you do not configure a certificate name, the assertion is sent unsigned or the authentication request is rejected.
• SAML Issuer name. The name to be used in requests sent from NetScaler to an IdP to uniquely identify NetScaler.

Requirements
=============
1. AAA Vservers.
2. Load Balancing Virtual Server.
3. Certificates
4. LDAP 

Certificates
==========
1. Server Certificate for AAA vserver: This certificate is bound to AAA Vserver
2. Idp Signing Certificate: This certificate is use to sign the SAML assertion. This certificate is send to SAML Service Provider (SP)
3. SP Signing Certificate: This certificate is same as Idp certificate but the private key is on the SP and the NetScaler only holds the public key.

In this SAML configuration,Same certificate is used for AAA Vserver , IDP and SP certificate and it is Wildcard Certificate . In production environment these certificates should be different..


Configuration of SAML Idp part
==============================
Go to NetScaler Gateway - Policies- Authentication -  SAML IDP.
1. Create SAML Idp profile and bound to  Idp AAA_ Vserver (aaa_idp)


 
Assertion Consumer Service URL:  Type the FQDN of Load Balancing Virtual server.
For example : http://vs.lab.com/cgi/samlauth . In this vs.lab.com is Load balancing virtual server.

3. Create SAML Idp Policy:


 
Now Configure SAML Service Provider (SP) Part:
==========================================
Go to NetScaler Gateway- Policies- Authentication- SAML

1. Create Saml Server

 
Redirect URL
==========
This is the URL of the authentication IdP. Users who are not authenticated are redirected to this URL.

2. Create SAML Policy



Configuration of AAA Vserver Part
============================

1 Create Two AAA Vserver . One Vserver for Idp and another Vserver for SP.You can give any name to AAA Vservers you want.  
In this configuration, name as aaa_idp for Idp vserver and sv2 for SP Vserver.
 
Configuration of AAA idp vserver

• Bind the Server Certificate and Basic authentication policy.
• Also bind the SAML Idp policy to IDP Vserver

• Make sure you give SAML IDp policy priority low as compared to LDAP policy.
• For example if SAML IDp policy priority is (90) so LDAP priority should be 100.

Configuration of AAA SP vserver
===========================



No need to bound LDAP policy here.

Load Balancing Virtual Server Part
============================

Go to Traffic management - Load Balancing - Virtual Servers


 

 2. Select authentication and check Form Based authentication:

1 Authentication  FQDN -  Type the FQDN of SP virtual Server
2. Choose Virtual Server Type- From drop down Select Authentication Virtual Server
3. Authentication virtual server- Select the AAA SP vserver