To Cofigure ADC to perform IDP Initiated SAML Authentication to the SP.

Instructions

In order for Netscaler to initiate SAML as IDP the Netscaler needs to be configured with a SAML SSO Traffic Policy.  Regular SAML IDP policies are intended for SP Initiated SAML.  In this configuration there is no property to configure the location of the SP, and therefore only works when SP has initiated SAML already and provided a redirect back to itself.

The problem arises in triggering the Traffic Policy to hit after authentication.  There are 2 ways to do this currently.

1. Create a TCP load balancer with a dummy service.  Some service that would be normally down like 1.2.3.4 on any port.  Disable the monitor so the service is up.  This service will be used to authenticate and trigger the traffic policy.  The user will never attempt to access the service.
2. Use a Netscaler Gateway Vserver to enumerate bookmarks via CVPN.  The bookmarks can be created to include a SAML traffic profile which will initiate SAML using the authentication already provided during login to VIP.

NOTE - Using the Gateway Vserver method the user will be presented with a bookmark that they will need to click on before getting to the SP.  This is an extra step that most would not desire.  However, it allows for multiple different SP's to be configured on the ADC for SAML IDP Initiated login as opposed to the Load Balancer which will only use a single SP.

Load Balancer Method:

Create a TCP load balancer and apply a service that would not be accessible normally.  Any fake IP/Port can be used because we will not be accessing this service.

Next apply authentication to the load balancer.  You can use 401 or forms based.  This is typical AAA auth and you can configure this however you please.  On the AAA you can use any authentication that suits your needs.

On the load balancer, you need to configure a traffic policy to with a "true" policy expression.  Use SAML SSO action type and configure this the same way you would SAML IDP. 

With this configuration, the user will navigate to the IDP FQDN which will configure dns/routing to point to the load balancer.  From here the user will either be directly prompted if 401 auth is configured or redirected to the AAA vserver if forms based is used.  After logging in here (typically LDAP and/or Radius), the user will be redirected back to the Load Balancer where the traffic policy will be triggered.  Now the SSO will kick in and the user along with the SAML Assertion will be sent to the SP and access will be granted.

Gateway Vserver Method:

Create a Gateway Vserver and apply authentication either via basic or Advanced.  Use whatever authentication suits you.  Next create a session profile configured for CVPN.  No CVPN domains need to be set only the session profile needs to be configured to use CVPN.  Next create a bookmark for your SP destination.  On this bookmark you will apply a SAML SSO profile as part of the bookmark.

The user will hit the Gateway Virtual Server first and login.  Afterwards they will be presented with the ADC CVPN page with their bookmark.  Once clicked the user will be sent to that page and will have left the ADC completely.

SAML SSO Configuration - https://docs.citrix.com/en-us/citrix-adc/13/aaa-tm/saml-authentication/saml-sign-sign-on.html

CVPN Configuration - https://docs.citrix.com/en-us/citrix-gateway/13/vpn-user-config/cvpn-overview.html

AAA Configuration - https://docs.citrix.com/en-us/citrix-adc/13/aaa-tm/authentication-virtual-server.html