Configuring SAML Authentication from StoreFront to NetScaler
Article ID: CTX263423
Updated On:
Description
This article is to step through configuring SAML Authentication between StoreFront as the Service Provider (SP) and NetScaler as the Identity Provider (IdP)
Instructions
StoreFront:For the specified Store, enable SAML Authentication under Manage Authentication Methods:
Click the Dropdown Cog icon and select Service Provider:
Leave the Export Signing and Export Encryption Certificates blank and use https://sf.example.com/Citrix/SAMLAuth for the SP Identifier:
Now, click on Identity Provider on the dropdown and select which type of binding you want to configure:
Also, set the Address to https://saml.idp.vserver/saml/login
Click Add and select the Signing Certificate that you will be using from the NetScaler.
NetScaler:
Under Security > AAA - Application Traffic > Policies > Authentication > Advanced Policies > SAML IDP > Profiles, click Add:
You can use the below link to the StoreFront's Metadata to auto-configure the NetScaler:
https://sf.example.com/Citrix/SAMLAuth/SAMLforms/ServiceProvider/metadata
Alternatively, you can manually configured this with either a POST or REDIRECT setup, as per your StoreFront configuration.
For Assertion Consumer Services URL, use:
https://sf.example.com/Citrix/SAMLAuth/SamlForms/AssertionConsumerService
Installing the Service Provider Certificate on the NetScaler and selecting it under SP Certificate Name:
Use https://sf.example.com/Citrix/SAMLAuth for the Service Provider ID and Audience fields
Note: The NetScaler will autofill these in the SAML tokens if left blank, which will cause assertion verification issues on the StoreFront
Select SHA256 for both the Signature Algorithm and Digest Method:
Note: SAML AuthnRequests from StoreFront will reference the Digest Method as SHA1 but selecting this combination on the IdP profile on NetScaler, will cause Signature verification issues on StoreFront.
Additional Information
Was this article helpful?
Yes
No
Powered by
