SAML Authentication Fails on NetScaler ADC After Azure AD Certificate Rotation

book

Article ID: CTX696606

calendar_today

Updated On:

Description

This issue occurs because the Identity Provider (IdP) signing certificate has been updated in Azure AD, but the NetScaler ADC configuration has not been updated accordingly.

Key factors:

  • NetScaler ADC uses the locally stored IdP certificate to verify SAML assertion signatures.
  • When Azure rotates its signing certificate:
    • SAML assertions are signed with a new private key
    • NetScaler continues verifying using the previous (expired or old) public key
  • This results in a signature validation failure

Additionally:

  • The Metadata URL configured in the SAML Action is not dynamically polled
  • NetScaler does not automatically update or replace the IdP certificate when it changes at the IdP

Environment

This article is intended for guidance only. Ensure that configuration changes are validated in a test environment before applying them to production systems.

Cause

Background

During initial configuration:

  • The SAML Action may have been created using a Metadata URL
  • NetScaler retrieves the metadata XML and imports the IdP certificate
  • A local certificate object is created and used for ongoing validation

This configuration works as long as the certificate remains unchanged.

However:

  • The Metadata URL acts as a setup mechanism only
  • It does not provide continuous synchronization of certificate updates
  • Any certificate rotation on Azure requires manual intervention on NetScaler

Resolution

Option 1: Manually Update the IdP Certificate

Perform the following steps:

  1. Download the latest Azure AD SAML signing certificate from the Azure portal
  2. Install the certificate on NetScaler ADC:
    • Navigate to: Traffic Management > SSL > Certificates
    • Upload and install the new certificate
  3. Update the SAML Action to reference the new certificate: 
    set authentication samlAction <ActionName> -samlIdPCertName <NewCertName>
  4. Save the configuration: 
    save config

Option 2: Re-import IdP Metadata

Alternatively, refresh the configuration using metadata:

  • Re-import the IdP metadata XML via GUI or CLI
  • This updates:
    • IdP certificate
    • Endpoints and configuration parameters

Issue/Introduction

After a certificate update or rotation in Azure AD (Entra ID), users may experience SAML authentication failures when accessing applications through NetScaler ADC.

Common symptoms include:

  • Authentication failure with error:
    • “SAML Assertion failed”
  • Users are unable to log in via SAML
  • No changes made on NetScaler ADC prior to the issue

Additional Information

Best Practices

  • Monitor Azure AD signing certificate expiration timelines
  • Plan proactive updates before certificate rotation
  • Include certificate validation checks as part of change management
  • Periodically re-import metadata to maintain configuration alignment
  • Validate authentication flows after any IdP-side changes

Additional Information

  • The Metadata URL in NetScaler SAML configuration is intended for initial setup and manual refresh only
  • Automatic certificate updates are not supported
  • Regular validation and maintenance are required to ensure uninterrupted authentication
Powered by Wolken Software