How To Deploy NetScaler as Both OAuth SP and IdP
Article ID: CTX234873
Updated On:
Description
Deploying the NetScaler, as both an OAuth Service Provider (SP) and IdP (Identity Provider) or OpenID Authenticator.
This can be on the same NetScaler, or on two separate appliances
Instructions
1. Start by setting up your DNS entries for SP and IDP URLs. I use obvious URLs and naming schemes to make it easier to follow this example. In this example, these are the DNS resolutions:Service Provider: oauth-sp.tg.local -> 192.168.2.242
Identity Provider: oauth-idp.tg.local -> 192.168.2.243
NetScaler HTTPS Vserver: php2.tg.local -> 192.168.2.227
Identity Provider: oauth-idp.tg.local -> 192.168.2.243
NetScaler HTTPS Vserver: php2.tg.local -> 192.168.2.227
2. Ensure your test PC can resolve all 3 DNS names, they don't have to ping as we haven't set them up yet:
ping oauth-sp.tg.local
ping oauth-idp.tg.local
ping php2.tg.local
ping oauth-idp.tg.local
ping php2.tg.local
3. From NetScaler CLI, ensure the NetScaler can resolve all 3 DNS names, they don't have to ping as we haven't set them up yet:
ping oauth-sp.tg.local
ping oauth-idp.tg.local
ping php2.tg.local
ping oauth-idp.tg.local
ping php2.tg.local
4. Configure the OAuth SP Action and Policy:
add authentication OAuthAction oauth_sp_act -authorizationEndpoint "https://oauth-idp.tg.local/oauth/idp/login?response_type=code&scope=openid&client_id=22332244" -tokenEndpoint "https://oauth-idp.tg.local/oauth/idp/token" -clientID 22332244 -clientSecret mySecret -CertEndpoint "https://oauth-idp.tg.local/oauth/idp/certs" -audience oauth-idp.tg.local
add authentication Policy oauth_sp_pol -rule true -action oauth_sp_act
NOTES:
The authorizationEndpoint must be FQDN/oauth/idp/login?resp.... In other words, the full URL specified above, just change the FQDN to match your environment and set the client_id field to be correct. It points to the IdP URL.
The tokenEndpoint must be the full URL specified above. Change the FQDN part to match your environment. It points to the IdP token URL.
The CertEndpoint must be the full URL specified above. Change the FQDN part to match your environment. It points to the IdP cert URL.
The clientID field should match that of the IdP clientID field and authorizationEndpoint URL's client_id
The clientSecret is encrypted and you are shown the encryption hash after entering this.
The audience is the FQDN of the IdP.
add authentication Policy oauth_sp_pol -rule true -action oauth_sp_act
NOTES:
The authorizationEndpoint must be FQDN/oauth/idp/login?resp.... In other words, the full URL specified above, just change the FQDN to match your environment and set the client_id field to be correct. It points to the IdP URL.
The tokenEndpoint must be the full URL specified above. Change the FQDN part to match your environment. It points to the IdP token URL.
The CertEndpoint must be the full URL specified above. Change the FQDN part to match your environment. It points to the IdP cert URL.
The clientID field should match that of the IdP clientID field and authorizationEndpoint URL's client_id
The clientSecret is encrypted and you are shown the encryption hash after entering this.
The audience is the FQDN of the IdP.
5. Configure your OAuth SP AAA Vserver:
add authentication vserver oauth-sp.tg.local SSL 192.168.2.242 443
bind authentication vserver oauth-sp.tg.local -policy oauth_sp_pol -priority 100 -gotoPriorityExpression NEXT
bind ssl vserver oauth-sp.tg.local -certkeyName wildcardsan.tg.local-20171209
bind authentication vserver oauth-sp.tg.local -policy oauth_sp_pol -priority 100 -gotoPriorityExpression NEXT
bind ssl vserver oauth-sp.tg.local -certkeyName wildcardsan.tg.local-20171209
6. Configure the OAuth IdP Profile and Policy:
add authentication OAuthIDPProfile oauth_idp_act -clientID 22332244 -clientSecret mySecret -redirectURL "https://oauth-sp.tg.local/oauth/login" -audience oauth-idp.tg.local
add authentication OAuthIdPPolicy oauth_idp_pol -rule true -action oauth_idp_act
NOTES:
The Redirect URL points to the service provider FQDN/oauth/login. Ensure you use proper HTTP vs HTTPS per your Vserver.
The audience is the FQDN of the IdP.
The clientID field should match that of the SP clientID field and authorizationEndpoint URL's client_id
The clientSecret is encrypted and you are shown the encryption hash after entering this.
add authentication OAuthIdPPolicy oauth_idp_pol -rule true -action oauth_idp_act
NOTES:
The Redirect URL points to the service provider FQDN/oauth/login. Ensure you use proper HTTP vs HTTPS per your Vserver.
The audience is the FQDN of the IdP.
The clientID field should match that of the SP clientID field and authorizationEndpoint URL's client_id
The clientSecret is encrypted and you are shown the encryption hash after entering this.
7. Configure the OAuth IdP AAA Vserver:
add authentication vserver oauth-idp.tg.local SSL 192.168.2.243 443
bind authentication vserver oauth-idp.tg.local -policy ldap_policy -priority 100
bind authentication vserver oauth-idp.tg.local -policy oauth_idp_pol -priority 5 -gotoPriorityExpression END
bind ssl vserver oauth-idp.tg.local -certkeyName wildcardsan.tg.local-20171209
NOTE:
The 2nd line in the above binds a standard LDAP policy to the authentication Vserver for usage to validate the user's credentials. Alter the policy name to your existing LDAP authentication policy.
bind authentication vserver oauth-idp.tg.local -policy ldap_policy -priority 100
bind authentication vserver oauth-idp.tg.local -policy oauth_idp_pol -priority 5 -gotoPriorityExpression END
bind ssl vserver oauth-idp.tg.local -certkeyName wildcardsan.tg.local-20171209
NOTE:
The 2nd line in the above binds a standard LDAP policy to the authentication Vserver for usage to validate the user's credentials. Alter the policy name to your existing LDAP authentication policy.
8. Add an Authentication Profile and setup the LB Vserver for authentication:
add authentication authnProfile oauth_sp_profile -authnVsName oauth-sp.tg.local -AuthenticationHost oauth-sp.tg.local
add lb vserver php2.tg.local SSL 192.168.2.227 443 -persistenceType NONE -cltTimeout 180 -Authentication ON -authnProfile oauth_sp_profile
bind lb vserver php2.tg.local s1-http
bind ssl vserver php2.tg.local -certkeyName wildcardsan.tg.local-20171209
NOTES:
authnVsName is the name of the SP AAA Vserver
AuthenticationHost is the FQDN of the SP AAA Vserver
9. Bind the required certkey pair for the JSON Web token. This is required for signing of the token; if not done the token will not be trusted and authentication will fail.add lb vserver php2.tg.local SSL 192.168.2.227 443 -persistenceType NONE -cltTimeout 180 -Authentication ON -authnProfile oauth_sp_profile
bind lb vserver php2.tg.local s1-http
bind ssl vserver php2.tg.local -certkeyName wildcardsan.tg.local-20171209
NOTES:
authnVsName is the name of the SP AAA Vserver
AuthenticationHost is the FQDN of the SP AAA Vserver
bind vpn global -certkeyName wildcardsan.tg.local-20171209
To Configure OAuth SSO Between Citrix ADC and Backend Server:
When both Citrix ADC and Backend server are acting as OAuth SP, Then follow the below steps to achieve OAuth SSO between Citrix ADC and Backend server:
add tm trafficAction OAUTHSSO_TrafficProf -SSO ON -persistentCookie OFF -InitiateLogout OFF -kcdAccount NONE -forcedTimeoutVal 0
add tm trafficPolicy OAUTHSSO_TrafficPol TRUE OAUTHSSO_TrafficProf
bind lb vserver oauth-sp.tg.local -weight 1 -policyName OWASSO_TRAFFICPOLICY -priority 100 -type REQUEST
- If you are not successfully redirected from the LB Vserver to the AAA OAuth login page, and you receive "Internal Server Error 43549" verify the following:
- That the IdP Action "RedirectURL" is correct and using the correct protocol (HTTP vs HTTPS) in the URL, and is the Full URL as detailed, not just the FQDN.
- That the Client Secret matches and does NOT use any special characters. We know there are issues with some special characters here as of 12.0-57.24
- If you can successfully login, but receive "Target URL not found for redirect after successful login" then verify that your SP Action's "authorizationEndpoint" and "tokenEndpoint" have the full URLs as detailed; it cannot be just the FQDN. Also verify the "client_id=" in the "authorizationEndpoint" URL is the same as the "clientID" field configured in the SP Action and IdP Action.
- From CLI Shell mode, run the following command to view logs. While the command is running, duplicate the error. This will provide guidance on where the issue is: tail -f /var/log/ns.log
- If in the ns.log you see "certificate head is empty, cannot sign data", then you need to bind your server cert globally from step 9 above and ensure it's properly linked.
Notes:
1. As of NS12.0 57.x, the Issuer field on the NetScaler, acting as OAuth IdP, will always set this to "netscaler.com", which will cause validation of the token to fail, on the SP, if you have something else configured for the Issuer field. Therefore, leave the Issuer field blank.
Apr 29 00:38:58 <local0.info> 10.90.47.230 28/04/2018:23:38:58 GMT NS-LAB 0-PPE-0 : default AAATM Message 324000 0 : "OAUTH: successfully verified JWT; Parsing the result {"iss": "netscaler.com", "issued_to":"https://ssltest.frank.repro/oauth/login", "audience": "https://ssltest.frank.repro/oauth/login", "name": "administrator", "expires_in": 3599, "issued_at": 1524959072, "upn": "Administrator@FRANK.REPRO", "unique_name": "Administrator@FRANK.REPRO", "email": "Administrator@frank.repro", "email_verified": true}"
…
Apr 29 00:38:58 <local0.info> 10.90.47.230 28/04/2018:23:38:58 GMT NS-LAB 0-PPE-0 : default AAATM Message 324020 0 : "AAA OAUTH: Issuer mismatched, configured <aaa.frank.repro>, found <netscaler.com>"
Apr 29 00:38:58 <local0.info> 10.90.47.230 28/04/2018:23:38:58 GMT NS-LAB 0-PPE-0 : default AAATM Message 324021 0 : "AAATM Error Handler: Found extended error code 1310728, ReqType 16386 request /oauth/login?
code=8b8bbcf8298479ab&state=b2F1dGhhY3Q9b2F1dGhfYWN0aW9uX2ludGVybmFsABAG5VoPTwYQdGFyZ2V0PWh0dHBzOi8vc3NsdGVzdC5mcmFuay5yZXByby8%3D, cookie hdr "
…
Apr 29 00:38:58 <local0.info> 10.90.47.230 28/04/2018:23:38:58 GMT NS-LAB 0-PPE-0 : default AAATM Message 324020 0 : "AAA OAUTH: Issuer mismatched, configured <aaa.frank.repro>, found <netscaler.com>"
Apr 29 00:38:58 <local0.info> 10.90.47.230 28/04/2018:23:38:58 GMT NS-LAB 0-PPE-0 : default AAATM Message 324021 0 : "AAATM Error Handler: Found extended error code 1310728, ReqType 16386 request /oauth/login?
code=8b8bbcf8298479ab&state=b2F1dGhhY3Q9b2F1dGhfYWN0aW9uX2ludGVybmFsABAG5VoPTwYQdGFyZ2V0PWh0dHBzOi8vc3NsdGVzdC5mcmFuay5yZXByby8%3D, cookie hdr "
2. The NetScaler, acting as SP, can extract attributes from the Token, since 11.1 55.x/12.0 51.x
3. When acting as an OAuth IdP, 2 things should match, to validate the Authorization request
- Configured clientid should match incoming clientid
- Configured redirect_uri should match incoming redirect_uri
Apr 26 14:29:13 <local0.debug> 10.90.47.229 04/26/2018:10:29:13 GMT FRANKLAB-NS-CONF 0-PPE-0 : default AAATM Message 1350 0 : "core 0: ns_aaa_oauthidp_get_token_tags: id: , uri: https://ssltest.frank.repro/oauth/login, clientid: 22332244, secret: "
4. The various OAuth IDP endpoints can be retrieved using
As you can see, and as an example, there is no endpoint for idtokenDecryptEndpoint, hence any endpoint not listed is currently unsupported as an IDP, including idtokenDecryptEndpoint.
Issue/Introduction
Since NetScaler 12.0 57.x, the NetScaler can act as both an OAuth SP and OpenID Authentication Point (OAuth IdP)
Below is how you would configure the NetScaler as both
Additional Information
https://docs.citrix.com/en-us/netscaler/12/aaa-tm/configuring-openid-connect-protocol.html
https://docs.citrix.com/en-us/netscaler/12/aaa-tm/oauth-authentication.html
https://docs.citrix.com/en-us/netscaler/12/aaa-tm/oauth-authentication.html
Was this article helpful?
Yes
No
Powered by
