SUPPORT WIKI : SAML Integration with NetScaler

book

Article ID: CTX228135

calendar_today

Updated On:

Description

Citrix Secure Web Gateway, formerly NetScaler Secure Web Gateway

What is SAML ?

Security Assertion Markup Language (SAML) is an XML-based authentication mechanism that provides single sign-on capability and is defined by the OASIS Security Services Technical Committee

Why SAML ?

The SAML authentication mechanism provides an alternative approach for Authenticating a User belong to a company for one or more service hosted at service provider that hosts a number of applications for the company.
Consider a scenario in which a service provider (LargeProvider) hosts a number of applications for a customer (BigCompany). BigCompany has users that must seamlessly access these applications. In a traditional setup, LargeProvider would need to maintain a database of users of BigCompany.

This raises some concerns for each of the following stakeholders:

LargeProvider must ensure security of user data.
BigCompany must validate the users and keep the user data up-to-date, not just in its own database, but also in the user database maintained by LargeProvider. For example, a user removed from the BigCompany database must also be removed from the LargeProvider database.
A user has to log on individually to each of the hosted applications.

The concerns raised by traditional authentication mechanisms are resolved as follows:

LargeProvider does not have to maintain a database for BigCompany users. Freed from identity management, LargeProvider can concentrate on providing better services.
BigCompany does not bear the burden of making sure the LargeProvider user database is kept in sync with its own user database.
A user can log on once, to one application hosted on LargeProvider, and be automatically logged on to the other applications that are hosted there.

In addition, SAML supports

Cross-Domain Single Sign-On (SSO)
- A user authenticates to one web site (domain) and then is able to access resources at some other web sites (domains)
- In simple words user “Alice” is authenticated at DomainA.com and can access resources at both DomainA.com and DomainB.com
Federated Identity
Attribute based authorization

SAML Terminologies :

SAML SP / Relaying party : Requester Role
SAML IDP / Asserting party : Responder Role
Assertion : Requests and responses
Metadata : Configuration data

SAML Service Provider(SP) :

The SAML Service Provider (SP) is a SAML entity that is deployed by the service provider. When a user tries to access a protected application, the SP evaluates the client request. If the client is unauthenticated (does not have a valid NSC_TMAA or NSC_TMAS cookie), the SP redirects the request to the SAML Identity Provider (IdP).

The SP also validates SAML assertions that are received from the IdP.

SAML Identity Provider(IdP) :

The SAML IdP (Identity Provider) is a SAML entity that is deployed on the customer network. The IdP receives requests from the SAML SP and redirects users to a logon page, where they must enter their credentials. The IdP authenticates these credentials with the user directory (external authentication server, such as LDAP) and then generates a SAML assertion that is sent to the SP.
The SP validates the token, and the user is then granted access to the requested protected application.

SAML Assertion:

Assertion is a claim, statement, or declaration of fact made by the SAML authority. It’s the information collection by the SAML authority.

Types of Assertions :

Authentication - the user is authenticated by a particular means at a particular time
Authorization - the user was granted or denied access to a specified resource
Attributes -the user is associated with the supplied attributes

Metadata:

Metadata is the configuration data in SP and IDP to know how to communicate to each other which will be in XML standards

Required root Element:

<md:EntityDescriptor> </md:EntityDescriptor>

Required Role Element:

SP: <md:SPSSODescriptor> </md:SPSSODescriptor>
IDP: <md:IDPSSODescriptor> </md:IDPSSODescriptor>
SP: <md:SPSSODescriptor>
1. <md:KeyDescriptor>
2. <md:AssertionConsumerService>
3. <md:AttributeConsumingService>
4. <md:NameIDFormat>

Types of Services :

Assertion Consumer Service : Request URL
Single Logout Service: Logout URL

As Service Provider(SP):

Assertion Consumer path: /cgi/samlauth
Single Logout path: /cgi/tmlogout

As Identity Provider(IdP):

Assertion Consumer Service Path: /saml/login
Single Logout Service: /saml/login

SAML Bindings :

HTTP Redirect Binding
HTTP Post Binding
HTTP Artifact Binding

Web SSO Profiles :

The Web Browser SSO profile supports a variety of options, based on whether the message flows are IdP-initiated or SP-initiated and and whether the IdP pushes SAML assertions to the SP or the SP pulls them from the IdP.
The push approach involves using either HTTP redirects or HTTP POST messages to deliver a SAML message.
The pull approach involves sending a artifact to the receiver, which then uses the artifact to dereference and obtain the related SAML message.

A combination of message flow and binding techniques gives rise to eight different combinations as listed below.

SP Initiated with SAML(Request and Response) Binding as POST
SP Initiated with SAML (Request and Response) Binding as Redirect
SP Initiated with SAML Request as POST and SAML Response as Redirect
SP Initiated with SAML Request as Redirect and SAML Response as POST
IDP Initiated with SAML(Request and Response) Binding as POST
IDP Initiated with SAML (Request and Response) Binding as Redirect
IDP Initiated with SAML Request as POST and SAML Response as Redirect
IDP Initiated with SAML Request as Redirect and SAML Response as POST

SP-Initiated SSO—Request and Response as POST (Refer 1 above) :

In this scenario a user attempts to access a protected resource directly on an SP Web site without being logged on. The user does not have an account on the SP site, but does have a federated account managed by a third-party IdP. The SP sends an authentication request to the IdP. Both the request and the returned SAML assertion are sent through the user’s browser via HTTP POST.

Processing Steps :

1. The user requests access to a protected SP resource. The request is redirected to the federation server to handle authentication.

2. The federation server sends an HTML form back to the browser with a SAML request for authentication from the IdP. The HTML form is automatically posted to the IdP’s SSO service.

3. If the user is not already logged on to the IdP site or if re-authentication is required, the IdP asks for credentials (e.g., ID and password) and the user logs on.

4. The IdP’s SSO service returns an HTML form to the browser with a SAML response containing the authentication assertion and any additional attributes. The browser automatically posts the HTML form back to the SP.

5. If the signature and assertion are valid, the SP establishes a session for the user and redirects the browser to the target resource.

SP-Initiated SSO—request as Redirect- Response as POST (Refer 4 above) :

In this scenario, the SP sends an HTTP redirect message to the IdP containing an authentication request. The IdP returns a SAML response with an assertion to the SP via HTTP POST.

Processing Steps :

1. A user requests access to a protected SP resource. The user is not logged on to the site. The request is redirected to the federation server to handle authentication.

2. The SP returns an HTTP redirect (code 302 or 303) containing a SAML request for authentication through the user’s browser to the IdP’s SSO service

3. If the user is not already logged on to the IdP site or if re-authentication is required, the IdP asks for credentials (e.g., ID and password) and the user logs on.

4. Additional information about the user Attributes may be retrieved from the user data store for inclusion in the SAML response.

5. The IdP’s SSO service returns an HTML form to the browser with a SAML response containing the authentication assertion and any additional attributes. The browser automatically posts the HTML form back to the SP.

6. If the signature and assertion are valid, the SP establishes a session for the user and redirects the browser to the target resource.

IDP-Initiated SSO—Request and response as POST (refer 5 above) :

In this scenario, a user is logged on to the IdP and attempts to access a resource on a remote SP server. The SAML assertion is transported to the SP via HTTP POST.

Processing Steps :

1. A user has logged on to the IdP.

2. The user requests access to a protected SP resource. The user is not logged on to the SP site.

3. Optionally, the IdP retrieves attributes from the user data store.

4. The IdP’s SSO service returns an HTML form to the browser with a SAML response containing the authentication assertion and any additional attributes. The browser automatically posts the HTML form back to the SP.

5. If the signature and assertion are valid, the SP establishes a session for the user and redirects the browser to the target resource.

Netscaler Deployment :

The NetScaler appliance can be deployed as a SAML Service Provider (SP) and a SAML Identity Provider (IdP).

When the NetScaler appliance is configured as an SP, all user requests are received by a traffic management virtual server (load balancing or content switching) that is associated with the relevant SAML action.

When the NetScaler appliance is configured as an IdP, all requests are received by an authentication virtual server that is associated with the relevant SAML IdP profile.

Note :

A NetScaler appliance can be used as a SAML SP in a deployment where the SAML IdP is configured either on the appliance or on any external SAML IdP.
A NetScaler appliance can be used as a IdP in a deployment where the SAML SP is configured either on the appliance or on any external SAML SP.

Refer the Docs page below for detailed steps on configuring NetScaler as a SAML IdP or SP.

http://docs.citrix.com/en-us/netscaler/12/aaa-tm/saml-authentication/netscaler-saml-idp.html
http://docs.citrix.com/en-us/netscaler/12/aaa-tm/saml-authentication/netscaler-saml-sp.html

Troubleshooting:

NetScaler as SP and IDP:

SP IP: 10.107.165.147
SP FQDN: saml-sp.repro.lab
IDP IP: 10.107.165.150 (AAA VIP)
IDP FQDN: saml-redirect.repro.lab
DNS:
Saml-sp.repro.lab: 10.107.165.147
Saml-redirect.repro.lab: 10.107.165.150

SAML Request and Response in XML format

<samlp:AuthnRequest AssertionConsumerServiceURL="https://saml-sp.repro.lab/cgi/samlauth"
    Destination="https://saml-redirect.repro.lab/saml/login" ForceAuthn="false"
    ID="_59d52136c277a2ae101124b8e40142bf" IssueInstant="2018-01-25T08:55:22Z"
    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"
    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://netscaler.repro.lab</saml:Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod>
            <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod>
            <ds:Reference URI="#_59d52136c277a2ae101124b8e40142bf">
                <ds:Transforms>
                    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform>
                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform>
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
                <ds:DigestValue>a9vyrR0Qbn3wElZJTxLZMiN90QI=</ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>Cz16jWx1fAurnpoPIbcPNstp9m1sbluIZ2EZFr0X3BOSS8HW3HhVwy7ctc/MTqN33mAWyDJQXqjgrLQYXi/yPPV3KEn9KJ5pJZFGVUSIybolMjQW7zsSeqeCrD/OIoPGY6m1Vi5Gdy4922QQ+k2r1OBXrYX3IqykuRrIYaTg5iPanE0k9Eugv7N/jcmMzGC8tuwYvU/b++F6Cu+A8TEsIebB5quKa+Kj3EFox4WOhQ7uIZV9vmw03hz8797SF5+1fVmRWUfaaWu0yJCu38jNWTNqCxXzU3PzwkgGIJcRqZJ+jCgOb695A4KUpdwuCt8LFNkfTnrYjm+l3P3THJj4Cg==</ds:SignatureValue>
        <ds:KeyInfo>
            <ds:X509Data>
                <ds:X509Certificate>MIIFSDCCBDCgAwIBAgITagAAAATVGKrQMtW+kQAAAAAABDANBgkqhkiG9w0BAQsFADBAMRMwEQYKCZImiZPyLGQBGRYDbGFiMRUwEwYKCZImiZPyLGQBGRYFcmVwcm8xEjAQBgNVBAMTCUFEMS1SZXBybzAeFw0xNzA1MjgxODEwMDRaFw0xOTA1MjgxODEwMDRaMG0xCzAJBgNVBAYTAklOMRIwEAYDVQQIEwlLYXJuYXRha2ExETAPBgNVBAcTCEJhbmdsb3JlMQ8wDQYDVQQKEwZDaXRyaXgxEDAOBgNVBAsTB1N1cHBvcnQxFDASBgNVBAMUCyoucmVwcm8ubGFiMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsQVtghT53h1Dsw+4utksprnnD12SnkcsgStfGs5NNgC0zKgxbBGyMHnte7shGYZjNqG/BbE4L/AvjGE5LIjrjrVtnpXrrXkTGuF4zqr1CInO4UVHRVNBYSQg0o47SavGO+BVpXf2hsJhf9RoPybzbVuiqOokbh8b7FDQ7qb3N2LybzoEQtXhauPqaaOR8FTv8EvtawVLcNeFrmXkM7uMAKie6VNSI67gYzW/TF4beJklqp9CrA1lLCVxFYuM5gE7I8egJb5Yj0oruGJlMPME018IkMJMz38bdl1uVarrCR0OGzG67Ba3h22+Mw1+SGFU6xJZlFRjt6qIEo1GxXpSfQIDAQABo4ICDDCCAggwHQYDVR0OBBYEFDm8ULXQIl9eQnVDR2sh5pcKJb/TMB8GA1UdIwQYMBaAFD8lH99VTE9/LCuTwcMaVWuk/Rv1MIHBBgNVHR8EgbkwgbYwgbOggbCgga2GgapsZGFwOi8vL0NOPUFEMS1SZXBybyxDTj1BRDEsQ049Q0RQLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9cmVwcm8sREM9bGFiP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludDCBuQYIKwYBBQUHAQEEgawwgakwgaYGCCsGAQUFBzAChoGZbGRhcDovLy9DTj1BRDEtUmVwcm8sQ049QUlBLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9cmVwcm8sREM9bGFiP2NBQ2VydGlmaWNhdGU/YmFzZT9vYmplY3RDbGFzcz1jZXJ0aWZpY2F0aW9uQXV0aG9yaXR5MCEGCSsGAQQBgjcUAgQUHhIAVwBlAGIAUwBlAHIAdgBlAHIwDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBCwUAA4IBAQB9TkENUTV6UPUdbi6Xn0ama5ccd1iJdTV4GPaBsyoC/SrrvJCJei7o0ItgpMaEMyCGjqDsKNWtsABSr4Qea8TCIod8QJH2y8SOPVGHkN8kQJumb0Q7dRASaRb53uWs8ci1ajX6LPw/9C1RaR2FW5HdzoCoih1pn7n+GsQ3UcmZJSBHdsA2OE5ftGguhoplpnQmJug5gTubDwTkBZ83CBXF6qQ1f1dPeT4S0PkyB1bzwfPyUudcr8sMWHqbCDIdXGGmi/vVH9reBlC3rp4fOHC2nrlBtx14igheaaeXoaqvo+YFxT0dT5kXYDpXiC3g1X51ZlZ+HSp/Q+sxqKTkiwOn</ds:X509Certificate>
            </ds:X509Data>
        </ds:KeyInfo>
    </ds:Signature>
</samlp:AuthnRequest>

<samlp:Response Destination="https://saml-sp.repro.lab/cgi/samlauth"
    ID="_e2e1e5204f9131fa8e65f8312b3ba8c8" InResponseTo="_59d52136c277a2ae101124b8e40142bf"
    IssueInstant="2018-01-25T08:55:26Z" Version="2.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
    <saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
        xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://netscaler.repro.lab</saml:Issuer>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"></samlp:StatusCode>
    </samlp:Status>
    <saml:Assertion ID="_19f8b84b58eab7edd2c317a3baf3955" IssueInstant="2018-01-25T08:55:26Z"
        Version="2.0" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
        <saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://netscaler.repro.lab</saml:Issuer>
        <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod>
                <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod>
                <ds:Reference URI="#_19f8b84b58eab7edd2c317a3baf3955">
                    <ds:Transforms>
                        <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform>
                        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform>
                    </ds:Transforms>
                    <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
                    <ds:DigestValue>w9lrTkLx6kB1a3qAJaDn2iB/jQE=</ds:DigestValue>
                </ds:Reference>
            </ds:SignedInfo>
            <ds:SignatureValue>XauLGQnxsSkLMm5SsyRPX0LAHu0ocmFPL21Jolz2MiM3MTlFfJ+1dmflonXJR1TWpXwMz5KNNCe5IQ7X1q/DoyTndBCK2Kmiky5cxb50ctb5fen5c76c0ht6yJAe9hxr2qZbfqpngba2aR4a1YPShRoeBBaTYiEXoLa7E7ADZt6Nh7piJtdS322Dtbknsj0Ef7LazTPMdr5h2aYPjHtChRoYBvtSPLjf+gSr6ICSHL1O0nxgwqmrRIFct6RLDAwSrSnyVQ/4bjLfxC6rOSp7AD/eVx/Prg+533cElnfRuZHE1IUI60ncCuNnipmoZe3CHT9uMM9ZeOJJOzEmCqSrfA==</ds:SignatureValue>
            <ds:KeyInfo>
                <ds:X509Data>
                    <ds:X509Certificate>MIIFSDCCBDCgAwIBAgITagAAAATVGKrQMtW+kQAAAAAABDANBgkqhkiG9w0BAQsFADBAMRMwEQYKCZImiZPyLGQBGRYDbGFiMRUwEwYKCZImiZPyLGQBGRYFcmVwcm8xEjAQBgNVBAMTCUFEMS1SZXBybzAeFw0xNzA1MjgxODEwMDRaFw0xOTA1MjgxODEwMDRaMG0xCzAJBgNVBAYTAklOMRIwEAYDVQQIEwlLYXJuYXRha2ExETAPBgNVBAcTCEJhbmdsb3JlMQ8wDQYDVQQKEwZDaXRyaXgxEDAOBgNVBAsTB1N1cHBvcnQxFDASBgNVBAMUCyoucmVwcm8ubGFiMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsQVtghT53h1Dsw+4utksprnnD12SnkcsgStfGs5NNgC0zKgxbBGyMHnte7shGYZjNqG/BbE4L/AvjGE5LIjrjrVtnpXrrXkTGuF4zqr1CInO4UVHRVNBYSQg0o47SavGO+BVpXf2hsJhf9RoPybzbVuiqOokbh8b7FDQ7qb3N2LybzoEQtXhauPqaaOR8FTv8EvtawVLcNeFrmXkM7uMAKie6VNSI67gYzW/TF4beJklqp9CrA1lLCVxFYuM5gE7I8egJb5Yj0oruGJlMPME018IkMJMz38bdl1uVarrCR0OGzG67Ba3h22+Mw1+SGFU6xJZlFRjt6qIEo1GxXpSfQIDAQABo4ICDDCCAggwHQYDVR0OBBYEFDm8ULXQIl9eQnVDR2sh5pcKJb/TMB8GA1UdIwQYMBaAFD8lH99VTE9/LCuTwcMaVWuk/Rv1MIHBBgNVHR8EgbkwgbYwgbOggbCgga2GgapsZGFwOi8vL0NOPUFEMS1SZXBybyxDTj1BRDEsQ049Q0RQLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9cmVwcm8sREM9bGFiP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludDCBuQYIKwYBBQUHAQEEgawwgakwgaYGCCsGAQUFBzAChoGZbGRhcDovLy9DTj1BRDEtUmVwcm8sQ049QUlBLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9cmVwcm8sREM9bGFiP2NBQ2VydGlmaWNhdGU/YmFzZT9vYmplY3RDbGFzcz1jZXJ0aWZpY2F0aW9uQXV0aG9yaXR5MCEGCSsGAQQBgjcUAgQUHhIAVwBlAGIAUwBlAHIAdgBlAHIwDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBCwUAA4IBAQB9TkENUTV6UPUdbi6Xn0ama5ccd1iJdTV4GPaBsyoC/SrrvJCJei7o0ItgpMaEMyCGjqDsKNWtsABSr4Qea8TCIod8QJH2y8SOPVGHkN8kQJumb0Q7dRASaRb53uWs8ci1ajX6LPw/9C1RaR2FW5HdzoCoih1pn7n+GsQ3UcmZJSBHdsA2OE5ftGguhoplpnQmJug5gTubDwTkBZ83CBXF6qQ1f1dPeT4S0PkyB1bzwfPyUudcr8sMWHqbCDIdXGGmi/vVH9reBlC3rp4fOHC2nrlBtx14igheaaeXoaqvo+YFxT0dT5kXYDpXiC3g1X51ZlZ+HSp/Q+sxqKTkiwOn</ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </ds:Signature>
        <saml:Subject>
            <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">admin1</saml:NameID>
            <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <saml:SubjectConfirmationData InResponseTo="_59d52136c277a2ae101124b8e40142bf"
                    NotOnOrAfter="2018-01-25T09:00:26Z" Recipient="https://saml-sp.repro.lab/cgi/samlauth"></saml:SubjectConfirmationData>
            </saml:SubjectConfirmation>
        </saml:Subject>
        <saml:Conditions NotBefore="2018-01-25T08:50:26Z" NotOnOrAfter="2018-01-25T09:00:26Z">
            <saml:AudienceRestriction>
                <saml:Audience>https://saml-sp.repro.lab</saml:Audience>
            </saml:AudienceRestriction>
        </saml:Conditions>
        <saml:AuthnStatement AuthnInstant="2018-01-25T08:55:26Z"
            SessionIndex="NSC_TMAAbf20316539bb57cf3c1ee224821b4f4e">
            <saml:AuthnContext>
                <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
            </saml:AuthnContext>
        </saml:AuthnStatement>
    </saml:Assertion>
</samlp:Response>

Packet capture :

Req 1 to the LB VIP :

Netscaler will reset the cookies and in the form action we see the redirect URL as IDP URL with SAML Request

Req 2 to AAA VIP:

Once the SAML request is validated against the parameters it will redirect to /tmindex.html if it is configured on AAA VIP.

Req 3 to SP LB VIP:

User post the SAML response after user is validated against LDAP. After the validation of assertion, it will redirect back to the original request received to LB along with the Set-Cookie Value which set during the authentication

Jan 25 14:25:26 <local0.info> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643589 0 : "AAATM Login: created session for <admin1> with cookie: <c4dc31027d74b30718142fa0691e4dc9>"

Counters during the success response:

root@NetScaler# nsconmsg -g saml -d current
Displaying performance information
NetScaler V20 Performance Data
NetScaler NS12.0: Build 53.13.nc, Date: Sep 22 2017, 08:43:05

reltime:mili second between two records Thu Jan 25 14:25:22 2018
Index   rtime totalcount-val      delta rate/sec symbol-name&device-no
      0   21006              5          1        0 aaa_samlidp_tot_authnreq_succ
      1    7000              3          1        0 aaa_samlidp_tot_post_assertion

Ns.log:

Jan 25 14:25:03 <local0.info> 10.107.165.140 01/25/2018:08:55:03 GMT NetScaler 0-PPE-0 : default CLI CMD_EXECUTED 14643310 0 :  User nsroot - Remote_ip 10.100.6.80 - Command "stop nstrace" - Status "Success"
Jan 25 14:25:04 <local0.info> 10.107.165.140 01/25/2018:08:55:04 GMT NetScaler 0-PPE-0 : default SNMP TRAP_SENT 14643314 0 :  netScalerConfigChange (nsUserName = "nsroot", configurationCmd = "stop nstrace", authorizationStatus = authorized, commandExecutionStatus = successful, nsClientIPAddr = 10.100.6.80, nsPartitionName = default)
Jan 25 14:25:05 <local0.warn> NetScaler nstraceaggregator: removing old directory : [/var/nstrace/28Dec2017_19_34_40]
Jan 25 14:25:06 <local0.info> 10.107.165.140 01/25/2018:08:55:06 GMT NetScaler 0-PPE-0 : default CLI CMD_EXECUTED 14643324 0 :  User nsroot - Remote_ip 10.100.6.80 - Command "start nstrace -nf 24 -time 3600 -size 0 -mode TXB NEW_RX -perNIC DISABLED -link DISABLED -filesize 1024 -doruntimecleanup ENABLED -traceBuffers 5000 -skipRPC DISABLED -skipLocalSSH DISABLED -capsslkeys ENABLED -capdroppkt ENABLED -inMemoryTrace DISABLED" - Status "Success"
Jan 25 14:25:06 <local0.info> 10.107.165.140 01/25/2018:08:55:06 GMT NetScaler 0-PPE-0 : default SNMP TRAP_SENT 14643325 0 :  netScalerConfigChange (nsUserName = "nsroot", configurationCmd = "start nstrace -nf 24 -time 3600 -size 0 -mode ...", authorizationStatus = authorized, commandExecutionStatus = successful, nsClientIPAddr = 10.100.6.80, nsPartitionName = default)
Jan 25 14:25:22 <local0.debug> 10.107.165.140 01/25/2018:08:55:22 GMT NetScaler 0-PPE-0 : default SSLLOG SSL_HANDSHAKE_SUCCESS 14643408 0 :  SPCBId 21868 - ClientIP 10.100.6.80 - ClientPort 2815 - VserverServiceIP 10.107.165.147 - VserverServicePort 443 - ClientVersion TLSv1.1 - CipherSuite "AES-256-CBC-SHA TLSv1.1 Non-Export 256-bit" - Session New  - HandshakeTime 5 ms
Jan 25 14:25:22 <local0.debug> 10.107.165.140 01/25/2018:08:55:22 GMT NetScaler 0-PPE-0 : default AAATM Message 14643409 0 :  "SAML: AuthnReq POST, Algorithm SHA1, SignedInfo used for digest is <ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod><ds:Reference URI="#_59d52136c277a2ae101124b8e40142bf"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod><ds:DigestValue>a9vyrR0Qbn3wElZJTxLZMiN90QI=</ds:DigestValue></ds:Reference></ds:SignedInfo>"
Jan 25 14:25:22 <local0.debug> 10.107.165.140 01/25/2018:08:55:22 GMT NetScaler 0-PPE-0 : default AAATM Message 14643410 0 :  "SAML: AuthnReq POST, Signature Element computed 3063 <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod><ds:Reference URI="#_59d52136c277a2ae101124b8e40142bf"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod><ds:DigestValue>a9vyrR0Qbn3wElZJTxLZMiN90QI=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>Cz16jWx1fAurnpoPIbcPNstp9m1sbluIZ2EZFr0X3BOSS8HW3HhVwy7ctc/MTqN33mAWyDJQXqjgrLQYXi/yPPV3KEn9KJ5pJZF
Jan 25 14:25:22 <local0.debug> 10.107.165.140 01/25/2018:08:55:22 GMT NetScaler 0-PPE-0 : default SSLLOG SSL_HANDSHAKE_SUCCESS 14643412 0 :  SPCBId 21874 - ClientIP 10.100.6.80 - ClientPort 2816 - VserverServiceIP 10.107.165.150 - VserverServicePort 443 - ClientVersion TLSv1.2 - CipherSuite "AES-256-CBC-SHA TLSv1.2 Non-Export 256-bit" - Session New  - HandshakeTime 4 ms
Jan 25 14:25:22 <local0.debug> 10.107.165.140 01/25/2018:08:55:22 GMT NetScaler 0-PPE-0 : default AAATM Message 14643413 0 :  "ns_aaa_saml_parse_authn_request: AuthnReq start tag seen, following data  xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://saml-sp.rep "
Jan 25 14:25:22 <local0.debug> 10.107.165.140 01/25/2018:08:55:22 GMT NetScaler 0-PPE-0 : default AAATM Message 14643414 0 :  "ns_aaa_saml_parse_authn_request: Issuer tag seen, remaining data /saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:Canonica "
Jan 25 14:25:22 <local0.debug> 10.107.165.140 01/25/2018:08:55:22 GMT NetScaler 0-PPE-0 : default AAATM Message 14643415 0 :  "SAMLIDP: ParseAuthnReq: signature method seen is 4"
Jan 25 14:25:22 <local0.debug> 10.107.165.140 01/25/2018:08:55:22 GMT NetScaler 0-PPE-0 : default AAATM Message 14643416 0 :  "SAMLIDP: ParseAuthnReq: digest method seen is SHA1"
Jan 25 14:25:22 <local0.debug> 10.107.165.140 01/25/2018:08:55:22 GMT NetScaler 0-PPE-0 : default AAATM Message 14643417 0 :  "ns_aaa_saml_parse_authn_request: Digestmethod tag seen, remaining data  Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod><ds:DigestValue>a9vyrR0Qbn3wEl "
Jan 25 14:25:22 <local0.debug> 10.107.165.140 01/25/2018:08:55:22 GMT NetScaler 0-PPE-0 : default AAATM Message 14643418 0 :  "ns_aaa_saml_parse_authn_request: SignedInfo tag end seen, remaining data <ds:SignatureValue>Cz16jWx1fAurnpoPIbcPNstp9m1sbluIZ2EZFr0X3BOSS8HW3HhVwy7ctc/MTqN33mAWyDJQXqjgrLQYXi/yPPV3KEn9KJ5pJZFGVUSIybolMjQW7zsSeqeCrD/OIoPGY6m1Vi5Gdy4922QQ+k2r1OBXrYX3IqykuRrIYaTg5iPanE0k9Eugv7N/jcmMzGC8tuwYvU/b++F6Cu+A8TEsIebB5quKa+Kj3EFox4WOhQ7uIZV9vmw03hz8797SF5+1fVmRWUfaaWu0yJCu38jNWTNqCxXzU3PzwkgGIJcRqZJ+jCgOb695A4KUpdwuCt8LFNkfTnrYjm+l3P3THJj4Cg==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIFSDCCBDCgAwIBAgITagAAAATVGKrQMtW+kQAAAAAABDANBgkqhkiG9w0BAQsFADBAMRMwEQYKCZImiZPyLGQBGRYDbGFiMRUwEwYKCZImiZPyLGQBGRYFcmVwcm8xEjAQBgNVBAMTCUFEMS1SZXBybzAeFw0xNzA1MjgxODEwMDRaFw0xOTA1MjgxODEwMDRaMG0xCzAJBgNVBAYTAklOMRIwEAYDVQQIEwlLYXJuYXRha2ExETAPBgNVBAcTCEJhbmdsb3JlMQ8wDQYDVQQKEwZDaXRyaXgxEDAOBgNVBAsTB1N1cHBvcnQxFDASBgNVBAMUCyoucmVwcm8ubGFiMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsQVtghT53h1Dsw+4utksprnnD12SnkcsgStfGs5NNgC0zK
Jan 25 14:25:22 <local0.debug> 10.107.165.140 01/25/2018:08:55:22 GMT NetScaler 0-PPE-0 : default AAATM Message 14643419 0 :  "ns_aaa_saml_parse_authn_request: SignatureValue tag seen, remaining data /ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIFSDCCBDCgAwIBAgITagAAAATVGKrQMtW+ "
Jan 25 14:25:22 <local0.debug> 10.107.165.140 01/25/2018:08:55:22 GMT NetScaler 0-PPE-0 : default AAATM Message 14643420 0 :  "ns_aaa_saml_parse_authn_request: Signature tag end seen, remaining data </samlp:AuthnRequest> "
Jan 25 14:25:22 <local0.debug> 10.107.165.140 01/25/2018:08:55:22 GMT NetScaler 0-PPE-0 : default AAATM Message 14643421 0 :  "ns_aaa_saml_parse_authn_request: AuthnReq end tag seen "
Jan 25 14:25:22 <local0.debug> 10.107.165.140 01/25/2018:08:55:22 GMT NetScaler 0-PPE-0 : default AAATM Message 14643422 0 :  "SAML verify digest: digest algorithm SHA1, input for digest: <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://saml-sp.repro.lab/cgi/samlauth" Destination="https://saml-redirect.repro.lab/saml/login" ForceAuthn="false" ID="_59d52136c277a2ae101124b8e40142bf" IssueInstant="2018-01-25T08:55:22Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://netscaler.repro.lab</saml:Issuer></samlp:AuthnRequest>"
Jan 25 14:25:22 <local0.debug> 10.107.165.140 01/25/2018:08:55:22 GMT NetScaler 0-PPE-0 : default AAATM Message 14643423 0 :  "SAML signature validation: algorithm is RSA-SHA1 input buffer is: <ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod><ds:Reference URI="#_59d52136c277a2ae101124b8e40142bf"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod><ds:DigestValue>a9vyrR0Qbn3wElZJTxLZMiN90QI=</ds:DigestValue></ds:Reference></ds:SignedInfo>"
Jan 25 14:25:22 <local0.debug> 10.107.165.140 01/25/2018:08:55:22 GMT NetScaler 0-PPE-0 : default SSLLOG SSL_HANDSHAKE_SUCCESS 14643425 0 :  SPCBId 21873 - ClientIP 10.100.6.80 - ClientPort 2817 - VserverServiceIP 10.107.165.150 - VserverServicePort 443 - ClientVersion TLSv1.2 - CipherSuite "AES-256-CBC-SHA TLSv1.2 Non-Export 256-bit" - Session New  - HandshakeTime 3 ms
Jan 25 14:25:22 <local0.debug> 10.107.165.140 01/25/2018:08:55:22 GMT NetScaler 0-PPE-0 : default SSLLOG SSL_HANDSHAKE_SUCCESS 14643434 0 :  SPCBId 21875 - ClientIP 10.100.6.80 - ClientPort 2818 - VserverServiceIP 10.107.165.150 - VserverServicePort 443 - ClientVersion TLSv1.2 - CipherSuite "AES-256-CBC-SHA TLSv1.2 Non-Export 256-bit" - Session New  - HandshakeTime 5 ms
Jan 25 14:25:22 <local0.debug> 10.107.165.140 01/25/2018:08:55:22 GMT NetScaler 0-PPE-0 : default SSLLOG SSL_HANDSHAKE_SUCCESS 14643437 0 :  SPCBId 21872 - ClientIP 10.100.6.80 - ClientPort 2819 - VserverServiceIP 10.107.165.150 - VserverServicePort 443 - ClientVersion TLSv1.2 - CipherSuite "AES-256-CBC-SHA TLSv1.2 Non-Export 256-bit" - Session New  - HandshakeTime 6 ms
Jan 25 14:25:22 <local0.debug> 10.107.165.140 01/25/2018:08:55:22 GMT NetScaler 0-PPE-0 : default SSLLOG SSL_HANDSHAKE_SUCCESS 14643439 0 :  SPCBId 21871 - ClientIP 10.100.6.80 - ClientPort 2820 - VserverServiceIP 10.107.165.150 - VserverServicePort 443 - ClientVersion TLSv1.2 - CipherSuite "AES-256-CBC-SHA TLSv1.2 Non-Export 256-bit" - Session New  - HandshakeTime 7 ms
Jan 25 14:25:22 <local0.debug> 10.107.165.140 01/25/2018:08:55:22 GMT NetScaler 0-PPE-0 : default SSLLOG SSL_HANDSHAKE_SUCCESS 14643472 0 :  SPCBId 21870 - ClientIP 10.100.6.80 - ClientPort 2821 - VserverServiceIP 10.107.165.150 - VserverServicePort 443 - ClientVersion TLSv1.2 - CipherSuite "AES-256-CBC-SHA TLSv1.2 Non-Export 256-bit" - Session New  - HandshakeTime 5 ms
Jan 25 14:25:22 <local0.debug> 10.107.165.140 01/25/2018:08:55:22 GMT NetScaler 0-PPE-0 : default SSLLOG SSL_HANDSHAKE_SUCCESS 14643474 0 :  SPCBId 21869 - ClientIP 10.100.6.80 - ClientPort 2822 - VserverServiceIP 10.107.165.150 - VserverServicePort 443 - ClientVersion TLSv1.2 - CipherSuite "AES-256-CBC-SHA TLSv1.2 Non-Export 256-bit" - Session New  - HandshakeTime 6 ms
Jan 25 14:25:23 <local0.debug> 10.107.165.140 01/25/2018:08:55:23 GMT NetScaler 0-PPE-0 : default SSLVPN Message 14643546 0 :  "ns_aaa_advance_authn_policyeval: copying policylabel name Saml-IDP-Vserver to aaa info, type 33 for auth "
Jan 25 14:25:23 <local0.debug> 10.107.165.140 01/25/2018:08:55:23 GMT NetScaler 0-PPE-0 : default SSLVPN Message 14643547 0 :  "aaad_advance_authnpolicy_handler: epa_action_head = 0x2a53da80 "
Jan 25 14:25:23 <local0.debug> 10.107.165.140 01/25/2018:08:55:23 GMT NetScaler 0-PPE-0 : default AAATM Message 14643548 0 :  "LoginSchema policyeval did not return an active policy"
Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default SSLVPN Message 14643577 0 :  "core 0: ns_get_username_password: loginschema gleaned is default "
Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default SSLVPN Message 14643578 0 :  "ns_aaa_advance_authn_policyeval: copying policylabel name Saml-IDP-Vserver to aaa info, type 33 for auth "
Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default SSLVPN Message 14643579 0 :  "aaad_advance_authnpolicy_handler: epa_action_head = 0x2a53da80 "
Jan 25 14:25:26 <local0.info> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAA Message 14643580 0 :  "(0-594) send_authenticate_pdu: Sending Preamble"
Jan 25 14:25:26 <local0.notice> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAA Message 14643581 0 :  "(0-594): Reply Received"
Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643582 0 :  "(0-594) Authentication succeeded, current factor: Saml-IDP-Vserver, for user: admin1 "
Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643583 0 :  "SAMLIDP: Checking whether current flow is SAML IdP flow, input U2FtbF9JRFBfUHJvZmlsZQBJRD1fNTlkNTIxMzZjMjc3YTJhZTEwMTEyNGI4ZTQwMTQyYmYmYmluZD1wb3N0JmJuTmZjRzlzYVdONVBWTmhiV3d0VTFBQVlVaFNNR05JVFRaTWVUbDZXVmN4YzB4WVRuZE1ia3BzWTBoS2RreHRlR2haYVRodFdUTk9lVnBxTURCTk1sa3dUMVJuZWxwRVNURlpWRUp0VFZSRk5BPT0="
Jan 25 14:25:26 <local0.info> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default SSLVPN Message 14643584 0 :  "SAMLIDP: LOGIN SUCCESS; Core <0>, Logout url is not configured in action <Saml_IDP_Profile> not enabling single logout for user <admin1>"
Jan 25 14:25:26 <local0.info> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM LOGIN 14643585 0 : Context admin1@10.100.6.80 - SessionId: 238- User admin1 - Client_ip 10.100.6.80 - Nat_ip "Mapped Ip" - Vserver 10.107.165.150:443 - Browser_type "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36" - Group(s) "N/A"
Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default SSLVPN Message 14643586 0 :  "In tmsession_adv_policyeval : pcount = 2"
Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default SSLVPN Message 14643587 0 :  "In tmsession_adv_policyeval : Calling action-trigger for policy = Dummy_Domain"
Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default SSLVPN Message 14643588 0 :  "In tmsession_adv_policyeval : Calling action-trigger for policy = SETTMSESSPARAMS_ADV_POL"
Jan 25 14:25:26 <local0.info> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643589 0 :  "AAATM Login: created session for <admin1> with cookie: <c4dc31027d74b30718142fa0691e4dc9>"
 
Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643590 0 :  "nFactor: SAMLIDP: Auth complete; sending autopost for reload user: admin1"
Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643592 0 :  "SAMLIDP: Checking whether current flow is SAML IdP flow, input U2FtbF9JRFBfUHJvZmlsZQBJRD1fNTlkNTIxMzZjMjc3YTJhZTEwMTEyNGI4ZTQwMTQyYmYmYmluZD1wb3N0JmJuTmZjRzlzYVdONVBWTmhiV3d0VTFBQVlVaFNNR05JVFRaTWVUbDZXVmN4YzB4WVRuZE1ia3BzWTBoS2RreHRlR2haYVRodFdUTk9lVnBxTURCTk1sa3dUMVJuZWxwRVNURlpWRUp0VFZSRk5BPT0="
Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643593 0 :  "SAML: SendAssertion: Response tag is <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://saml-sp.repro.lab/cgi/samlauth" ID="_e2e1e5204f9131fa8e65f8312b3ba8c8" InResponseTo="_59d52136c277a2ae101124b8e40142bf" IssueInstant="2018-01-25T08:55:26Z" Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://netscaler.repro.lab</saml:Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"></samlp:StatusCode></samlp:Status>"
Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643594 0 :  "SAML: SendAssertion: Assertion tag is <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_19f8b84b58eab7edd2c317a3baf3955" IssueInstant="2018-01-25T08:55:26Z" Version="2.0"><saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://netscaler.repro.lab</saml:Issuer><saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">admin1</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData InResponseTo="_59d52136c277a2ae101124b8e40142bf" NotOnOrAfter="2018-01-25T09:00:26Z" Recipient="https://saml-sp.repro.lab/cgi/samlauth"></saml:SubjectConfirmationData></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2018-01-25T08:50:26Z" NotOnOrAfter="2018-01-25T09:00:26Z"><saml:AudienceRestriction><saml:Audience>https://saml-sp.repro.lab</saml:Audience></saml:AudienceRestriction></saml:Conditio
Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643595 0 :  "SAML: SendAssertion, Digest Method SHA1, SignedInfo used for digest is <ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod><ds:Reference URI="#_19f8b84b58eab7edd2c317a3baf3955"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod><ds:DigestValue>w9lrTkLx6kB1a3qAJaDn2iB/jQE=</ds:DigestValue></ds:Reference></ds:SignedInfo>"
Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643596 0 :  "SAML: SendAssertion, Signature element is <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod><ds:Reference URI="#_19f8b84b58eab7edd2c317a3baf3955"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod><ds:DigestValue>w9lrTkLx6kB1a3qAJaDn2iB/jQE=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>XauLGQnxsSkLMm5SsyRPX0LAHu0ocmFPL21Jolz2MiM3MTlFfJ+1dmflonXJR1TWpXwMz5KNNCe5IQ7X1q/DoyTndBCK2Kmiky5cxb50ctb5fen
Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default SSLLOG SSL_HANDSHAKE_SUCCESS 14643598 0 :  SPCBId 21867 - ClientIP 10.100.6.80 - ClientPort 2831 - VserverServiceIP 10.107.165.147 - VserverServicePort 443 - ClientVersion TLSv1.1 - CipherSuite "AES-256-CBC-SHA TLSv1.1 Non-Export 256-bit" - Session New  - HandshakeTime 4 ms
Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643600 0 :  "ns_aaa_saml_parse_assertion: parsing the begg tag: Assertion xmlns:saml="urn:oasi "
Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643601 0 :  "ns_aaa_saml_parse_assertion: Parsed Assertion/Response tag remaining data: " IssueInstant="2018-01-25T08:55:26Z" Version="2.0"><saml:Issuer Format="urn:oasis:names:tc:SAML:2.0 "
Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643602 0 :  "ns_aaa_saml_parse_assertion: parsing the begg tag: Issuer Format="urn:oasis:names "
Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643603 0 :  "ns_aaa_saml_parse_assertion: Ignoring unknown/irrelevant tag seen at data: ssuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://netscaler.repro.lab</saml:Is "
Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643604 0 :  "parsing end of tag /saml:Issuer><ds:Signature xml "
Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643605 0 :  "ns_aaa_saml_parse_assertion: parsing the begg tag: Signature xmlns:ds="http://www "
Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643606 0 :  "ns_aaa_saml_parse_assertion: parsing the begg tag: SignedInfo><ds:Canonicalizatio "
Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643607 0 :  "ns_aaa_saml_parse_assertion: parsing the begg tag: CanonicalizationMethod Algorit "
Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643608 0 :  "ns_aaa_saml_parse_assertion: Parsed CanonicalizationMethod tag remaining data: http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm=" "
Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643609 0 :  "parsing end of tag /ds:CanonicalizationMethod><ds "
Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643610 0 :  "ns_aaa_saml_parse_assertion: parsing the begg tag: SignatureMethod Algorithm="htt "
Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643611 0 :  "ns_aaa_saml_parse_assertion: Parsed SignatureMethod tag remaining data: http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod><ds:Reference URI="#_19f8b84b58eab7 "
Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643612 0 :  "parsing end of tag /ds:SignatureMethod><ds:Refere "
Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643613 0 :  "ns_aaa_saml_parse_assertion: parsing the begg tag: Reference URI="#_19f8b84b58eab "
Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643614 0 :  "ns_aaa_saml_parse_assertion: Ignoring unknown/irrelevant tag seen at data: eference URI="#_19f8b84b58eab7edd2c317a3baf3955"><ds:Transforms><ds:Transform Algorithm="http://www. "
Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643615 0 :  "ns_aaa_saml_parse_assertion: parsing the begg tag: Transforms><ds:Transform Algor "
Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643616 0 :  "ns_aaa_saml_parse_assertion: parsing the begg tag: Transform Algorithm="http://ww "
Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643617 0 :  "ns_aaa_saml_parse_assertion: Parsed Transforms tag remaining data:  Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform><ds:Transform Algo "
Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643618 0 :  "parsing end of tag /ds:Transform><ds:Transform Al "
Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643619 0 :  "ns_aaa_saml_parse_assertion: parsing the begg tag: Transform Algorithm="http://ww "
Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643620 0 :  "ns_aaa_saml_parse_assertion: Parsed Transforms tag remaining data:  Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform></ds:Transforms><ds:DigestMethod "
Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643621 0 :  "parsing end of tag /ds:Transform></ds:Transforms> "
Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643622 0 :  "parsing end of tag /ds:Transforms><ds:DigestMetho "
Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643623 0 :  "ns_aaa_saml_parse_assertion: parsing the begg tag: DigestMethod Algorithm="http:/ "
Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643624 0 :  "ns_aaa_saml_parse_assertion: Parsed DigestMethod tag remaining data:  Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod><ds:DigestValue>w9lrTkLx6kB1a3 "
Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643625 0 :  "parsing end of tag /ds:DigestMethod><ds:DigestVal "
Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643626 0 :  "ns_aaa_saml_parse_assertion: parsing the begg tag: DigestValue>w9lrTkLx6kB1a3qAJa "
Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643627 0 :  "ns_aaa_saml_parse_assertion: Parsed DigestValue tag remaining data: /ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>XauLGQnxsSkLMm5SsyRPX0LAHu0ocmFPL2 "
Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643628 0 :  "parsing end of tag /ds:Reference></ds:SignedInfo> "
Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643629 0 :  "parsing end of tag /ds:SignedInfo><ds:SignatureVa "
Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643630 0 :  "signedInfo end tag seen, remaining data: SignedInfo><ds:SignatureValue> "
Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643631 0 :  "ns_aaa_saml_parse_assertion: parsing the begg tag: SignatureValue>XauLGQnxsSkLMm5 "
Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643632 0 :  "ns_aaa_saml_parse_assertion: Parsed SignatureValue tag remaining data: /ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIFSDCCBDCgAwIBAgITagAAAATVGKrQMtW+ "
Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643633 0 :  "ns_aaa_saml_parse_assertion: parsing the begg tag: KeyInfo><ds:X509Data><ds:X509C "
Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643634 0 :  "ns_aaa_saml_parse_assertion: Ignoring unknown/irrelevant tag seen at data: eyInfo><ds:X509Data><ds:X509Certificate>MIIFSDCCBDCgAwIBAgITagAAAATVGKrQMtW+kQAAAAAABDANBgkqhkiG9w0B "
Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643635 0 :  "ns_aaa_saml_parse_assertion: parsing the begg tag: X509Data><ds:X509Certificate>M "
Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643636 0 :  "ns_aaa_saml_parse_assertion: parsing the begg tag: X509Certificate>MIIFSDCCBDCgAw "
Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643637 0 :  "ns_aaa_saml_parse_assertion: Parsed X509Certificate tag remaining data: /ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml:Subject><saml:NameID Format="urn "
Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643638 0 :  "parsing end of tag /ds:X509Data></ds:KeyInfo></ds "
Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643639 0 :  "parsing end of tag /ds:KeyInfo></ds:Signature><sa "
Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643640 0 :  "parsing end of tag /ds:Signature><saml:Subject><s "
Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643641 0 :  "signature end tag seen, remaining data: Signature><saml:Subject><saml: "
Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643642 0 :  "ns_aaa_saml_parse_assertion: parsing the begg tag: Subject><saml:NameID Format="u "
Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643643 0 :  "ns_aaa_saml_parse_assertion: parsing the begg tag: NameID Format="urn:oasis:names "
Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643644 0 :  "ns_aaa_saml_parse_assertion: Parsed NameID tag remaining data: /saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectC "
Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643645 0 :  "ns_aaa_saml_parse_assertion: parsing the begg tag: SubjectConfirmation Method="ur "
Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643646 0 :  "ns_aaa_saml_parse_assertion: parsing the begg tag: SubjectConfirmationData InResp "
Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643647 0 :  "ns_aaa_saml_parse_assertion: Parsed SubjectConfirmationData tag remaining data: SubjectConfirmationData InResponseTo="_59d52136c277a2ae101124b8e40142bf" NotOnOrAfter="2018-01-25T09 "
Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643648 0 :  "parsing end of tag /saml:SubjectConfirmationData> "
Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643649 0 :  "subjectConfData end tag seen, remaining data: ></saml:SubjectConfirmation></ "
Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643650 0 :  "parsing end of tag /saml:SubjectConfirmation></sa "
Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643651 0 :  "parsing end of tag /saml:Subject><saml:Conditions "
Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643652 0 :  "ns_aaa_saml_parse_assertion: parsing the begg tag: Conditions NotBefore="2018-01- "
Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643653 0 :  "ns_aaa_saml_parse_assertion: Parsed Conditions tag remaining data: "><saml:AudienceRestriction><saml:Audience>https://saml-sp.repro.lab</saml:Audience></saml:AudienceR "
Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643654 0 :  "ns_aaa_saml_parse_assertion: parsing the begg tag: AudienceRestriction><saml:Audi "
Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643655 0 :  "ns_aaa_saml_parse_assertion: parsing the begg tag: Audience>https://saml-sp.repro "
Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643656 0 :  "SAML: ParseAssertion: Audience parsed is https://saml-sp.repro.lab"
Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643657 0 :  "parsing end of tag /saml:AudienceRestriction></sa "
Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643658 0 :  "parsing end of tag /saml:Conditions><saml:AuthnSt "
Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643659 0 :  "ns_aaa_saml_parse_assertion: parsing the begg tag: AuthnStatement AuthnInstant="2 "
Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643660 0 :  "ns_aaa_saml_parse_assertion: Parsed AuthnStatement tag remaining data: "><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProte "
Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643661 0 :  "ns_aaa_saml_parse_assertion: parsing the begg tag: AuthnContext><saml:AuthnContex "
Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643662 0 :  "ns_aaa_saml_parse_assertion: parsing the begg tag: AuthnContextClassRef>urn:oasis "
Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643663 0 :  "parsing end of tag /saml:AuthnContextClassRef></s "
Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643664 0 :  "parsing end of tag /saml:AuthnContext></saml:Auth "
Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643665 0 :  "parsing end of tag /saml:AuthnStatement></saml:As "
Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643666 0 :  "parsing end of tag /saml:Assertion> "
Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643667 0 :  "assertion end tag seen, remaining data:  "
Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643668 0 :  "SAML: Assertion is signed, trying to verify"
Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643669 0 :  "SAML verify digest: digest algorithm SHA1, input for digest: <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_19f8b84b58eab7edd2c317a3baf3955" IssueInstant="2018-01-25T08:55:26Z" Version="2.0"><saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://netscaler.repro.lab</saml:Issuer><saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">admin1</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData InResponseTo="_59d52136c277a2ae101124b8e40142bf" NotOnOrAfter="2018-01-25T09:00:26Z" Recipient="https://saml-sp.repro.lab/cgi/samlauth"></saml:SubjectConfirmationData></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2018-01-25T08:50:26Z" NotOnOrAfter="2018-01-25T09:00:26Z"><saml:AudienceRestriction><saml:Audience>https://saml-sp.repro.lab</saml:Audience></saml:AudienceRest
Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643670 0 :  "SAML signature validation: algorithm is RSA-SHA1 input buffer is: <ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod><ds:Reference URI="#_19f8b84b58eab7edd2c317a3baf3955"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod><ds:DigestValue>w9lrTkLx6kB1a3qAJaDn2iB/jQE=</ds:DigestValue></ds:Reference></ds:SignedInfo>"
Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default SSLVPN Message 14643671 0 :  "SAML SP: Trying to check if SAMLIDP is also on the same unit"
Jan 25 14:25:26 <local0.info> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643672 0 :  "SAML SP: IDP session found on the same instance, reusing the session for admin1"
Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM HTTPREQUEST 14643673 0 : Context admin1@10.100.6.80 - SessionId: 238- saml-sp.repro.lab User admin1 : Group(s) N/A : Vserver 10.107.165.147:443 - 01/25/2018:08:55:26 GMT : SSO is OFF : GET / - -
Jan 25 14:25:26 <local0.debug> 10.107.165.140 01/25/2018:08:55:26 GMT NetScaler 0-PPE-0 : default AAATM Message 14643674 0 :  "cookie idx is 15, tmaaa cookie 9, temp cookie -1"
Jan 25 14:25:31 <local0.info> 10.107.165.140 01/25/2018:08:55:31 GMT NetScaler 0-PPE-0 : default CLI CMD_EXECUTED 14643705 0 :  User nsroot - Remote_ip 10.100.6.80 - Command "stop nstrace" - Status "Success"
Jan 25 14:25:32 <local0.info> 10.107.165.140 01/25/2018:08:55:32 GMT NetScaler 0-PPE-0 : default SNMP TRAP_SENT 14643707 0 :  netScalerConfigChange (nsUserName = "nsroot", configurationCmd = "stop nstrace", authorizationStatus = authorized, commandExecutionStatus = successful, nsClientIPAddr = 10.100.6.80, nsPartitionName = default)

SAML Counters :

Below listed SAML counters can be used to debug the issues with SAML in Netscaler.

Counter	Description
saml_assertion_verify_success	Number of successful assertion verifications; that many sessions must be established.
saml_assertion_parse_fail	Number of times assertion parsing is failed.
saml_assertion_stale	Number of stale assertions; these have passed verification but are found stale.
saml_signature_verify_fail	Number of times signature verification failed, after passing digest verification.
saml_canonicalize_fail	Number of times canonicalization (done at aaad) is failed.
saml_digest_verify_fail	Number of times digest verification, the first step of verification is failed.
saml_malformed_data	Number of malformed assertions or responses from Idp.
saml_no_policy	Total number of times policy was not found during verification.
saml_parse_logout_fail	Total number of times logout request (from idp) parsing is failed.
saml_tot_sp_init_logout	Total number of SP initiated logout requests.
saml_tot_idp_init_logout	Total number of IdP initiated logout requests.
saml_large_session_index	Total number of times the session index is greater than 64 bytes.
saml_session_bcast_fail	Total number of times session broadcast is failed.
saml_reject_unsigned_assertion	Total number of times unsigned assertions is rejected.
saml_large_post	Post body size is more than the required size.
saml_base64_decode_fail	Issue while trying to base64 decode SAML data.
saml_tot_dht_put_success	Total number of successful DHT puts.
saml_tot_dht_put_fail	Total number of unsuccessful DHT puts.
saml_tot_dht_get_success	Total number of success DHT pulls.
saml_tot_dht_get_notfound	Total number of times entry was not found, including false positives.
saml_tot_dht_free	Total number of times DHT entries are freed.
saml_tot_dht_deserialize_fail	Total number of times DHT deserialization is failed
saml_tot_replay_detected	Total number of times replay is detected.

Additional Information

How to Configure NetScaler as SAML Service Provider and Shibboleth as SAML Identity Provider
http://support.citrix.com/article/CTX200271

SAML Single Logout: NetScaler as SAML SP and Shibboleth as IDP
http://support.citrix.com/article/CTX200392

How to Configure ADFS on Microsoft 2012 Server to Use with NetScaler Appliance
http://support.citrix.com/article/CTX140562

How to Configure NetScaler SAML to Work with Microsoft Active Directory Federation Services 2.0 IDP
http://support.citrix.com/article/CTX133919

How to Integrate StoreFront 2.6 and NetScaler Gateway for Pass-through Access with SAML Authentication through Microsoft AD FS
http://support.citrix.com/article/CTX141780

How to Configure SAML SSO Authentication between NetScaler Gateway and Load Balancing Virtual Servers
http://support.citrix.com/article/CTX138988

Encrypted SAML Assertion Support When NetScaler is Used as Service Provider
http://support.citrix.com/article/CTX200178

Configuration and Troubleshooting for NetScaler as SAML IDP and Siteminder as SAML SP
http://support.citrix.com/article/CTX200177

How to Configure NetScaler as IDP for SAML Based Integration with 15Five
https://support.citrix.com/article/CTX222594

Other Links
https://docs.citrix.com/en-us/netscaler/12/aaa-tm/saml-authentication.html
http://docs.citrix.com/en-us/netscaler/12/aaa-tm/saml-authentication/netscaler-saml-idp.html
http://docs.citrix.com/en-us/netscaler/12/aaa-tm/saml-authentication/netscaler-saml-sp.html
http://docs.citrix.com/en-us/netscaler/12/aaa-tm/ns-aaa-setup-traffic-setting-con/ns-aaa-sso-saml-tsk.html

Was this article helpful?

thumb_up Yes

thumb_down No

Welcome to "KB Articles"