This article describes how to configure NetScaler as an Identity Service Provider (IDP) for 15Five SaaS applications, using SAML (Security Assertion Markup Language) protocol.

Introduction

15Five is a company that provides performance management platform that combines employee feedback, objectives (OKRs), pulse surveys, and peer recognition. Employers/Organizations who use 15Five services, typically need their employees to login into 15Five SaaS portal to provide, update, review feedbacks, reports and so on. 15Five as a Service Provider, supports identity service to be provided by an external entity, based on SAML. Organizations or employers can leverage this feature to provide SSO (Single Sign On) capabilities using their own IDP (NetScaler in this case) for their users, who can be accessing both mobile and web based applications.
 
Typical call flow:

1. User tries to logon to 15Five portal.
2. Based on the entered domain, the user is redirected to his/her organization’s IDP
3. IDP checks the user credentials or if already signed on to a different service, skips authentication leveraging SSO.
4. The user is redirected back to 15Five portal with authentication response piggybacked.
5. The 15Five portal validates the response and allows the user the access its applications.

Prerequisite

It is assumed you have the following

• An active 15Five account with an administrator login rights for your organization.
• A customized subdomain from 15Five support.When you request the subdomain, 15Five will also turn on Single Sign-On for your company so that you can access theirself-service SAML setup wizard.
• A signed certificate.

---

Instructions

Follow the below steps to complete the configuration on 15Five portal.

1. Login into 15Five portal using administrator login provided to your company.

2. Click on Single Sign-On under Company on the navigation tab and start configuring as shown:

   

   Note: You will need to replace IP address of IDP with FQDN of NetScaler in the above configuration

3. In the XML setup tab above, you need to provide metadata file for NetScaler SAML IDP which can be generated using some online tool like OneLogin. Sample file pasted at the end of this article.

Configuration steps on NetScaler

Perform the below steps using CLI (Command Line Interface), to complete the configurations on NetScaler.

1. Add Netscaler and 15Five Certificates
   add ssl certKey 15five -cert 15five.cer
   add ssl certKey aaa_wild -cert aaatm_wild.cer -key aaatm_wild.key

2. Configure SAML IDP policy and profile  
   add authentication samlIdPProfile samlidp -samlSPCertName 15five -samlIdPCertName aaa - assertionConsumerSerivceURL "https://citrix.15five.com/saml2/acs/" -samlIssuerName "https://52.52.222.47" -rejectUnsignedRequests OFF -Attribute1 mail -Attribute1Expr http.req.user.name -           samlBinding POST
   add authentication samlIdPPolicy 15five_samlidp -rule true -action samlidp

3. For NetScaler to authentication, configure a LDAP authentication policy:
   add authentication ldapAction ldap-new -serverIP 10.217.28.180 -ldapBase "cn=users,dc=aaatm,dc=com" - ldapBindDn Administrator@aaatm.com -ldapBindDnPassword 1.linux -ldapLoginName UserPrincipalName -  groupattrName memberof -subAttributeName CN
   add authentication ldappolicy ldap-new ns_true ldap-new

4. Add a new authentication vserver and bind the policies to it:
   add authentication vserver av1 ssl 10.217.28.164 443
   bind ssl vserver av1 -certkeyName aaa_wild
   bind authentication vserver av1 –policy 15five_samlidp –priority 10
   bind authentication vserver av1 –policy ldap-new

Note: You will need to replace IP address of authentication vserver and 15Five portal their respective FQDN in the above configuration

Additional Resources

Sample metadata file.

</md:EntityDescriptor>
</md:IDPSSODescriptor> 
/>"https://52.52.222.47/saml/login"=Location "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"=Binding SingleSignOnService<md:   
</md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified>NameIDFormat<md:   
/>"https://52.52.222.47/cgi/tmlogout"=Location "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"=Binding SingleLogoutService<md:   
</md:KeyDescriptor>   
</ds:KeyInfo>     
</ds:X509Data>       
</ds:X509Certificate>MIIEozCCA4ugAwIBAgITFAAAAGuSfMR7erUkXwAAAAAAazANBgkqhkiG9w0BAQsFADBEMRMwEQYKCZImiZPyLGQBGRYDY29tMRUwEwYKCZImiZPyLGQBGRYFYWFhdG0xFjAUBgNVBAMTDWFhYXRtLURDLUNBLTEwHhcNMTYwODE3MTczNTU0WhcNMTgwODE3MTczNTU0WjBBMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExDzANBgNVBAoTBmNpdHJpeDEUMBIGA1UEAxQLKi5hYWF0bS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANvuGYCZAQffFo7sNnCGxijR6jw09dXgweTKrWz1jFAnk7GHtfwFAjI6Zsk0w8jccAEjOZGSWUG5o94jkpJaBOTuQsWnJG34yWzsFHWB0FPaeFJJPiFcIeR7C9njBO5WCAW/RWvF4HnlKP0xLEUoQp0iRYAnMghz91/gAqQXDxIpAgMBAAGjggITMIICDzAdBgNVHQ4EFgQUkwvNJv7BwCCWIlFQ49h8v4F5ZUwwHwYDVR0jBBgwFoAUtbW2oDPhH2FTPvArzMR229IGyVEwgcQGA1UdHwSBvDCBuTCBtqCBs6CBsIaBrWxkYXA6Ly8vQ049YWFhdG0tREMtQ0EtMSxDTj1kYyxDTj1DRFAsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1hYWF0bSxEQz1jb20/Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERpc3RyaWJ1dGlvblBvaW50MIG9BggrBgEFBQcBAQSBsDCBrTCBqgYIKwYBBQUHMAKGgZ1sZGFwOi8vL0NOPWFhYXRtLURDLUNBLTEsQ049QUlBLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9YWFhdG0sREM9Y29tP2NBQ2VydGlmaWNhdGU/YmFzZT9vYmplY3RDbGFzcz1jZXJ0aWZpY2F0aW9uQXV0aG9yaXR5MCEGCSsGAQQBgjcUAgQUHhIAVwBlAGIAUwBlAHIAdgBlAHIwDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBCwUAA4IBAQA5Ygei9BHPBC5CHdbWgVWni8ynZr+7cRtdhhDoUv2nDwbyUkYHq4KWxEampLCe+/KYvPYcbEPfghbigiPxMdCAD8oNTyhNDovuT/dg7Dmdhp3OuXRuwifRZyi/1lZSJe1b1Zv61nbOCqXyZVykmArIGHxulbG6qmd+7nmsbDpInNpX8pRmldXKFa7kyLm83G0LIpY/4v4OWwTvKUfAw08irxSGQvmeBpiXPxKrcHQxM6IJI9QEvDcOcBsRffSJ8NdPbLlnZimud/peUAAYZwSSa/yng7GrkRKcwO90NlEbaLocsuknmDhciJ7vKNoZd/q3Hc1u7EsQk/fbGxGHHfUR>X509Certificate<ds:         
>X509Data<ds:       
>"http://www.w3.org/2000/09/xmldsig#"=ds:xmlns KeyInfo<ds:     
>"encryption"=use KeyDescriptor<md:   
</md:KeyDescriptor>   
</ds:KeyInfo>     
</ds:X509Data>       
</ds:X509Certificate>MIIEozCCA4ugAwIBAgITFAAAAGuSfMR7erUkXwAAAAAAazANBgkqhkiG9w0BAQsFADBEMRMwEQYKCZImiZPyLGQBGRYDY29tMRUwEwYKCZImiZPyLGQBGRYFYWFhdG0xFjAUBgNVBAMTDWFhYXRtLURDLUNBLTEwHhcNMTYwODE3MTczNTU0WhcNMTgwODE3MTczNTU0WjBBMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExDzANBgNVBAoTBmNpdHJpeDEUMBIGA1UEAxQLKi5hYWF0bS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANvuGYCZAQffFo7sNnCGxijR6jw09dXgweTKrWz1jFAnk7GHtfwFAjI6Zsk0w8jccAEjOZGSWUG5o94jkpJaBOTuQsWnJG34yWzsFHWB0FPaeFJJPiFcIeR7C9njBO5WCAW/RWvF4HnlKP0xLEUoQp0iRYAnMghz91/gAqQXDxIpAgMBAAGjggITMIICDzAdBgNVHQ4EFgQUkwvNJv7BwCCWIlFQ49h8v4F5ZUwwHwYDVR0jBBgwFoAUtbW2oDPhH2FTPvArzMR229IGyVEwgcQGA1UdHwSBvDCBuTCBtqCBs6CBsIaBrWxkYXA6Ly8vQ049YWFhdG0tREMtQ0EtMSxDTj1kYyxDTj1DRFAsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1hYWF0bSxEQz1jb20/Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERpc3RyaWJ1dGlvblBvaW50MIG9BggrBgEFBQcBAQSBsDCBrTCBqgYIKwYBBQUHMAKGgZ1sZGFwOi8vL0NOPWFhYXRtLURDLUNBLTEsQ049QUlBLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9YWFhdG0sREM9Y29tP2NBQ2VydGlmaWNhdGU/YmFzZT9vYmplY3RDbGFzcz1jZXJ0aWZpY2F0aW9uQXV0aG9yaXR5MCEGCSsGAQQBgjcUAgQUHhIAVwBlAGIAUwBlAHIAdgBlAHIwDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBCwUAA4IBAQA5Ygei9BHPBC5CHdbWgVWni8ynZr+7cRtdhhDoUv2nDwbyUkYHq4KWxEampLCe+/KYvPYcbEPfghbigiPxMdCAD8oNTyhNDovuT/dg7Dmdhp3OuXRuwifRZyi/1lZSJe1b1Zv61nbOCqXyZVykmArIGHxulbG6qmd+7nmsbDpInNpX8pRmldXKFa7kyLm83G0LIpY/4v4OWwTvKUfAw08irxSGQvmeBpiXPxKrcHQxM6IJI9QEvDcOcBsRffSJ8NdPbLlnZimud/peUAAYZwSSa/yng7GrkRKcwO90NlEbaLocsuknmDhciJ7vKNoZd/q3Hc1u7EsQk/fbGxGHHfUR>X509Certificate<ds:         
>X509Data<ds:       
>"http://www.w3.org/2000/09/xmldsig#"=ds:xmlns KeyInfo<ds:     
>"signing"=use KeyDescriptor<md:   
>"urn:oasis:names:tc:SAML:2.0:protocol"=protocolSupportEnumeration "false"=WantAuthnRequestsSigned IDPSSODescriptor<md: 
</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature>MIIEozCCA4ugAwIBAgITFAAAAGuSfMR7erUkXwAAAAAAazANBgkqhkiG9w0BAQsFADBEMRMwEQYKCZImiZPyLGQBGRYDY29tMRUwEwYKCZImiZPyLGQBGRYFYWFhdG0xFjAUBgNVBAMTDWFhYXRtLURDLUNBLTEwHhcNMTYwODE3MTczNTU0WhcNMTgwODE3MTczNTU0WjBBMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExDzANBgNVBAoTBmNpdHJpeDEUMBIGA1UEAxQLKi5hYWF0bS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANvuGYCZAQffFo7sNnCGxijR6jw09dXgweTKrWz1jFAnk7GHtfwFAjI6Zsk0w8jccAEjOZGSWUG5o94jkpJaBOTuQsWnJG34yWzsFHWB0FPaeFJJPiFcIeR7C9njBO5WCAW/RWvF4HnlKP0xLEUoQp0iRYAnMghz91/gAqQXDxIpAgMBAAGjggITMIICDzAdBgNVHQ4EFgQUkwvNJv7BwCCWIlFQ49h8v4F5ZUwwHwYDVR0jBBgwFoAUtbW2oDPhH2FTPvArzMR229IGyVEwgcQGA1UdHwSBvDCBuTCBtqCBs6CBsIaBrWxkYXA6Ly8vQ049YWFhdG0tREMtQ0EtMSxDTj1kYyxDTj1DRFAsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1hYWF0bSxEQz1jb20/Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERpc3RyaWJ1dGlvblBvaW50MIG9BggrBgEFBQcBAQSBsDCBrTCBqgYIKwYBBQUHMAKGgZ1sZGFwOi8vL0NOPWFhYXRtLURDLUNBLTEsQ049QUlBLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9YWFhdG0sREM9Y29tP2NBQ2VydGlmaWNhdGU/YmFzZT9vYmplY3RDbGFzcz1jZXJ0aWZpY2F0aW9uQXV0aG9yaXR5MCEGCSsGAQQBgjcUAgQUHhIAVwBlAGIAUwBlAHIAdgBlAHIwDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBCwUAA4IBAQA5Ygei9BHPBC5CHdbWgVWni8ynZr+7cRtdhhDoUv2nDwbyUkYHq4KWxEampLCe+/KYvPYcbEPfghbigiPxMdCAD8oNTyhNDovuT/dg7Dmdhp3OuXRuwifRZyi/1lZSJe1b1Zv61nbOCqXyZVykmArIGHxulbG6qmd+7nmsbDpInNpX8pRmldXKFa7kyLm83G0LIpY/4v4OWwTvKUfAw08irxSGQvmeBpiXPxKrcHQxM6IJI9QEvDcOcBsRffSJ8NdPbLlnZimud/peUAAYZwSSa/yng7GrkRKcwO90NlEbaLocsuknmDhciJ7vKNoZd/q3Hc1u7EsQk/fbGxGHHfUR>X509Certificate><ds:X509Data><ds:KeyInfo<ds:
</ds:SignatureValue>OH4di2pOi3mzhvvY1MuiB0b1J/X9xNe0KbKtKAW/kl46UjToRGyk+QTQmPiPvckt3AVdl+dgxauTd+6PV5O/78Xu4EFNalQG1bcYuK5kiIyVrzIFy7rF9qeya7h3hzRLg7684nCqa8I5MCYQNxiITPrfzawmyOScYVMlUavrY+8=>SignatureValue</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:5zN1byr3OHd1UdlNbaysKM3y4WI=>DigestValue/><ds:"http://www.w3.org/2000/09/xmldsig#sha1"=Algorithm DigestMethod/></ds:Transforms><ds:"http://www.w3.org/2001/10/xml-exc-c14n#"=Algorithm Transform/><ds:"http://www.w3.org/2000/09/xmldsig#enveloped-signature"=Algorithm Transform><ds:Transforms><ds:"#pfx21f1ed73-493a-813b-e96b-30388944b5cb"=URI Reference<ds: 
/>"http://www.w3.org/2000/09/xmldsig#rsa-sha1"=Algorithm SignatureMethod<ds:   
/>"http://www.w3.org/2001/10/xml-exc-c14n#"=Algorithm CanonicalizationMethod><ds:SignedInfo<ds: 
>"http://www.w3.org/2000/09/xmldsig#"=ds:xmlns Signature><ds:"pfx21f1ed73-493a-813b-e96b-30388944b5cb"=ID "https://52.52.222.47"=entityID "PT1490984168S"=cacheDuration "2017-03-26T18:16:08Z"=validUntil "urn:oasis:names:tc:SAML:2.0:metadata"=md:xmlns EntityDescriptor<md:
?>"1.0"<?xml version=  

This article describes how to configure NetScaler as an Identity Service Provider (IDP) for 15Five SaaS applications, using SAML (Security Assertion Markup Language) protocol.