Security Assertion Markup Language 2.0 and SAML 2.0 is rapidly adopting on the market.
At a glance SAML 2.0, a number of open standards XML uses authentication and authorization data between trusted endpoints to transport. The application is adopted Web Single Sign-On, or SSO. SAML 2.0 addresses the authentication challenges on the Internet to an intranet over.
Citrix NetScaler latest version 10.5 adds support for SAML 2.0 endpoints. Service Provider (SP) and Identity Provider (IdP)
In the following article, we will by about setting up Citrix NetScaler as both SP & IdP completion of SAML Trust Fabric.
go resource is used in this exercise:
- domain controller with Active Directory
- Citrix NetScaler VPX 10.5
- windows IIS server a web application
hosting FQDNs and specific configurations:
- domain = DCTEST.com
- LB vServer FQDN webt.dctest. com
- SP AAA VDS = aaa.sp.dctest.com
- IdP AAA VDS = aaa.idp.dctest.com
to secure additional benefits for the virtual server connections:
- create 3 SSL certificates. The vServer these certificates are also tied are = LB vServer, AAA SP VPS and VDS AAA IdP.
create LB vServer for your web application.
- Add the server in NetScaler, by selecting Traffic management - you server (Enter - Load Balancing the server name / IP address)
- Add the service in NetScaler: Traffic management - Load balancing - services (selection of existing Server and select the just created) [1945008TrafficManagement - Load balancing - Virtual server (enter a name, IP address, port -443 if it is to be secured over SSL: create] a LB vServer binding)
- to create the service in step 2 to the LB vServer
create SAML SP Profile
- security - AAA - Application Traffic - guidelines - authentication - basic guidelines - SAML (select the servers tab and make a name for the SAML server available)
- to the IdP certificate Select
- Set URL redirect - this is the URL, the SP will redirect the user to authenticate to the IdP. In our example, because we use is NetScaler as both SP & IdP URL: https://aaa.idp.dctest.com/saml/login
Where https: // aaa .idp.dctest.com is the FQDN of my IdP AAA vServer and / saml / login is what NetScaler searches for a SAML assertion flow.
5. Add the signature certificate. This is the certificate that you created for the SP AAA vServer
6. Add the issuer name - in our example, we have the IdP AAA vServer (aaa.idp.dctest.com) In this field the seller requirements vary. Meaning, if a third party as one of the endpoints follow their documentation as they may differ.
7. Turn Reject Unsigned assertion. This forces to sign the statement.
8. Ensure that the SAML binding parameters in POST
9. Click OK
Next we are a SAML SP policy
- to provide security - AAA - Application Traffic - guidelines - authentication - basic guidelines - SAML (politics tab)
- add a new policy (name, and select the server that we just created )
- Enter ns_true for expression
create SAML IdP Profile
- security - AAA - Application Traffic - guidelines - authentication - basic guidelines - SAML IdP (the tab, select a profile and a name for the IdP Profile
- enter entering the assertion consumer service URL or ACS .. In our example, because we have a LB vServer be with the web server we use
https://webt.dctest.com/cgi/samlauth
to compensatewhere https://webt.dctest.com is the address for the LB vServer and / cgi / samlauth is where the LB vServer listening for SAML assertions.
3. Enter the SP-certificate
4. Enter the IdP certificate
5. Enter the name of the issuer (name has to match the SP profile)
6. Give the audience: In our case it is the LB vServer address is:
https://webt.dctest.com
7. Click OK
Next, we will SAML IdP policy
- to provide security - AAA - application traffic - guidelines - authentication -> basic guidelines - SAML IDP (Select the Policies tab and specify a name)
- to complete the action, select (the profile that we just created)
3. Under expression input:
HTTP.REQ.URL.CONTAINS ( "SAML" )
4.click ok
now we have created a SAML SP Politics & Server and an IdP policy and profile. The final policy will be to create, is an LDAP policy for a user store
Build a LDAP policy
- security -. AAA - application traffic - guidelines - Authentication -> Basic guidelines - LDAP (select Server tab and provide a policy name)
- In our example, we use AD. Fill in the required fields with your AD connection settings.
- Click OK.
Build the AAA vServer for SP
- security - AAA - application traffic - Virtual server (name, IP and port offer
- to you create the SSL certificate for the generated bind. SP
- Tying the SAML SP policy in previous step
- Bind creates the form-based virtual servers earlier
- Click Done
create the AAA vServer for the IdP
- security - AAA - application traffic - Virtual Server (enter the name, IP, port, and authentication domain in our example. we use the IdP AAA vServer FQDN - aaa.idp.dctest.com
- Bind created the SSL certificate for the IdP
- Bind the basic LDAP policy created earlier
- basic SAML IDP binding policy you created earlier
- Click Done
now has everything to complete the SAML assertion with the NetScaler as configured both SAML endpoints.
to test your browser to the LB vServer, show that your web application balances.
if successful should for authentication redirect the NetScaler AAA vServer on the IdP. Once you should enter your login information, the right to access the web app.
to see this, 'behind the scenes' You can run a trace on the NetScaler, or a plug in the browser -in. I used Http Live header plug-in for Firefox. Just run Live Track header if the web app display to access the SAML request and response. Note that is encoded and display the actual text that you need to decrypt. There are many online SAML decoder that will do the trick.
This comment has been removed by the author.
ReplyDelete