NetScaler as SAML Service Provider on FIPS Device
Article ID: CTX200956
Updated On:
Description
Currently in case of FIPS devices, there is no support for signing of SAML Authentication Requests. The SAML Assertion coming back from IDP itself can be verified for integrity. There is support only for unsigned SAML Authentication request assertions.
Configuration of SAML Action/Policy on NetScaler
Create SAML action/policy as shown and bind it to the corresponding authentication virtual server:
add authentication samlAction shibboleth -samlIdPCertName shib-idp-242 -samlRedirectUrl "https://idp.wi.int/idp/profile/SAML2/POST/SSO" -samlUserField nameid -samlRejectUnsignedAssertion OFF -samlIssuerName nssp.nsi-test.com add authentication samlPolicy shibboleth ns_true shibboleth
Note: If the IDP is also sending unsigned assertion, you need to set -samlRejectUnsignedAssertion to OFF.
Sample Unsigned SAML Auth Request from NetScaler
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
AssertionConsumerServiceURL="https://nssp.nsi-test.com/cgi/samlauth"
Destination="https://idp.wi.int/idp/profile/SAML2/POST/SSO"
ID="_31bbb997abb9aa383c42da4996b3ddef"
IssueInstant="2015-03-26T21:07:22Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Version="2.0">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">nssp.nsi-test.com</saml:Issuer>
</samlp:AuthnRequest>
Sample Unsigned SAML Auth Response from IDP
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://nssp.nsi-test.com/cgi/samlauth" ID="_975d8bb8b282deb6ee08e9a8a5c716f8" InResponseTo="_31bbb997abb9aa383c42da4996b3ddef" IssueInstant="2015-03-26T21:07:09.779Z" Version="2.0" > <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" >nssp.nsi-test.com</saml2:Issuer> <saml2p:Status> <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /> </saml2p:Status> <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_5db5a79d40f40cc2d63ebc0a31967ad3" IssueInstant="2015-03-26T21:07:09.779Z" Version="2.0" > <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">nssp.nsi-test.com</saml2:Issuer> <saml2:Subject> <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" NameQualifier="nssp.nsi-test.com" >_70d797f41b27d1386a628201650edfd1</saml2:NameID> <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml2:SubjectConfirmationData Address="10.252.121.96" InResponseTo="_31bbb997abb9aa383c42da4996b3ddef" NotOnOrAfter="2015-03-26T21:12:09.779Z" Recipient="https://nssp.nsi-test.com/cgi/samlauth" /> </saml2:SubjectConfirmation> </saml2:Subject> <saml2:Conditions NotBefore="2015-03-26T21:07:09.779Z" NotOnOrAfter="2015-03-26T21:12:09.779Z" > <saml2:AudienceRestriction> <saml2:Audience>nssp.nsi-test.com</saml2:Audience> </saml2:AudienceRestriction> </saml2:Conditions> <saml2:AuthnStatement AuthnInstant="2015-03-26T21:07:09.760Z" SessionIndex="_943ff49f15bb92511d233f1a85bab52a" > <saml2:SubjectLocality Address="10.252.121.96" /> <saml2:AuthnContext> <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef> </saml2:AuthnContext> </saml2:AuthnStatement> <saml2:AttributeStatement> <saml2:Attribute FriendlyName="streetAddress" Name="urn:oid:2.5.4.9" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" > <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string" >1.citrix</saml2:AttributeValue> </saml2:Attribute> </saml2:AttributeStatement> </saml2:Assertion> </saml2p:Response>
Environment
The above mentioned sample code is provided to you as is with no representations, warranties or conditions of any kind. You may use, modify and distribute it at your own risk. CITRIX DISCLAIMS ALL WARRANTIES WHATSOEVER, EXPRESS, IMPLIED, WRITTEN, ORAL OR STATUTORY, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NONINFRINGEMENT. Without limiting the generality of the foregoing, you acknowledge and agree that (a) the sample code may exhibit errors, design flaws or other problems, possibly resulting in loss of data or damage to property; (b) it may not be possible to make the sample code fully functional; and (c) Citrix may, without notice or liability to you, cease to make available the current version and/or any future versions of the sample code. In no event should the code be used to support ultra-hazardous activities, including but not limited to life support or blasting activities. NEITHER CITRIX NOR ITS AFFILIATES OR AGENTS WILL BE LIABLE, UNDER BREACH OF CONTRACT OR ANY OTHER THEORY OF LIABILITY, FOR ANY DAMAGES WHATSOEVER ARISING FROM USE OF THE SAMPLE CODE, INCLUDING WITHOUT LIMITATION DIRECT, SPECIAL, INCIDENTAL, PUNITIVE, CONSEQUENTIAL OR OTHER DAMAGES, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Although the copyright in the code belongs to Citrix, any distribution of the sample code should include only your own standard copyright attribution, and not that of Citrix. You agree to indemnify and defend Citrix against any and all claims arising from your use, modification or distribution of the sample code.
Issue/Introduction
This article describes the configuration and limitations of NetScaler as SAML Service Provider on a FIPS device.
Was this article helpful?
Yes
No
Powered by
