SAML is an authentication system developed to separate the user database and the protected services. So you can perform services (especially in the "cloud") without leaving your user database with your safe zone.
NetScaler an infrastructure to secure your services can offer (NetScaler with SAML SP) and the protection of user database (SAML IdP) SAML infrastructure
SP: SAML service provider
IdP SAML identity provider
It is important to understand that communication flow:
- trusts the SP IdP ( trust relationship)
- user connects to service, protected by SP
- users of SP to IdP forwarded to authetitcate (SAML request of SP signed)
- user SAML request to the IdP and authenticated (eg AD with LDAP) brings
- IdP provides SAML assertion after successful authentication and passes back to the SP (SAML assertion and used values for athorisation and SSO
- Windows box: WebApplication and User Database (AD controller)
- NetScaler SAML SP and SAML IdP (can run on the same box)
lab environment:
domain controller with user database:
hostname: ad1.pcloud.lab 192.168.100.10
LDAP Policy & Profile:
Add authentication ldapAction LDAP_PCloud -serverName ad1.pcloud.lab -ldapBase "DC = pcloud, DC = lab "-ldapBindDn administrator@pcloud.lab -ldapBindDnPassword Citrix123 -ldapLoginName samAccountName
Add authentication ldapPolicy LDAP PCloud ns_true LDAP PCLoud
Add authentication vserver AAA LDAP PCloud SSL 192 168 100 111 443 -AuthenticationDomain pcloud.lab
WebServer with application (could be found on the same field as AD):
hostname: www.pcloud.lab 192.168.100.32
NetScaler
LoadBalancer: redirects to SAML SP for TM-AAA
hostname: lb.pcloud.lab 192 168 100 132
Add Server www.pcloud.lab 192.168.100.32
service SRV_HTTP-WWW www.pcloud.lab HTTP 80
Add lb vserver LB_VS_www.pcloud.lab HTTP 192 168 100 132 80
Add bind lb vserver LB_VS_www.pcloud.lab SRV_HTTP-www. pcloud.lab
SAML SP : Forwards SAML IdP and validated SAML assertion
hostname: saml_sp.pcloud.lab 192 168 100 232
Add authentication vserver AAA SAML_SP SSL 192 168 100 232 443 -AuthenticationDomain pcloud.lab
SamlAction links to IdP: [1945002-samlUserFieldNameID-samlIssuerName"http:samlActionSAML_SP_CNS-samlIdPCertNameSAML-IdP-samlSigningCertNameSAML-SP-samlRedirectUrl"//saml_idppcloudlab/saml/loginhttps":]
[1945012Add] authentication // lb_www. pcloud.lab "-defaultAuthenticationGroup DAG_SAML
bind samlPolicy to AuthServer:
Add authentication samlPolicy SAML_SP_CNS ns_true SAML_SP_CNS
bind- identification vserver AAA SAML_SP -policy SAML_SP_CNS
bind SAML SP as AuthHost IB vServer:
set lb vserver IB-www -AuthenticationHost saml_sp.pcloud.lab -Authentication oN -authnVsName AAA SAML_SP
SAML IdP Authentcation VServer: links to AD (via LDAP) and passes back to SAML SP
hostname: saml_idp.pcloud .lab 192 168 100 210
Add authentication vserver AAA SAML_IdP SSL 192 168 100 210 443 -AuthenticationDomain pcloud.lab
links to AD (bind LDAP authentication)
bind-identification vserver AAA SAML_IdP -policy Auth_PCloud -priority 0
SAML IdP configuration profile:
Add authentication samlIdPProfile Auth_Pro_SAML_CNS -samlSPCertName SAML -SP -samlIdPCertName SAML IdP -assertionConsumerServiceURL "http: //lb_www.pcloud.lab/cgi/samlauth" -sendPassword ON -samlIssuerName saml_idp.pcloud.la b
policy:
Add authentication samlIdPPolicy SAML_Idp_CNS rule "HTTP.REQ.URL.CONTAINS (" saml ")" action Auth_Pro_SAML_CNS
redirect SAML SP (Bind SAML IdP Policy)
bind-identification vserver AAA SAML_IdP -policy SAML_Idp_CNS -priority 100 -gotoPriorityExpression END
composed Enjoy your own lab. More free Details helps descriptions including troubleshooting, please send me an email
0 Komentar