Netscaler acting as IDP and there are multiple SPs pointing at the IDP for authentication

Expected user experience 

1. User logs in to SP-1, 
2. SP-1 redirects to IDP (Netscaler) for authentication.
3.  Netscaler authenticates the user and redirects the user back to SP-1 (logged on)
4. For Subsequent logons to other SPs say SP-2 and SP-3 user should be logged in seamlessly without any authentication prompt.(SSO)

This approach also works when SP uses Redirect Binding / or for an other issue(s) referrer header or any other info in HTTP header is missing to uniquely Identify the SP.

---

Instructions

Prerequisites - AAA Vserver is setup for LDAP / RADIUS authentication and is able to authenticate the users.
AAA VIP config can be found here:https://docs.citrix.com/zh-cn/netscaler/11-1/aaa-tm/authentication-virtual-server.html

SAML IDP configuration can be found here: https://docs.citrix.com/en-us/netscaler/12/aaa-tm/saml-authentication/netscaler-saml-idp.html

To achieve the stated objective of SSO across multiple SPs, follow the steps below

1.Create an IDP profile for each SP, along with the other SP Specific parameters, configure the serviceProviderID field to match the "issuer name" configured on that SP.

2. Create an IDP Policy for each SP with expression "True" and bind with the IDP Profiles created before.

3. Bind the IDP Policies to the AAA Vserver [ Caveat - This binding needs to be done from CLI , check https://support.citrix.com/article/CTX230267).

From an SP Standpoint, they should point with their redirect url (idp url) to the same FQDN which should be resolve to the Netscaler AAA Vserver
 

Citrix Documentation - Setting Up an Authentication Virtual Server

Citrix Documentation - NetScaler as a SAML IdP

Citrix Documentation - SAML Assertion verification fails with Multiple SPs and NetScaler as IDP