Configure Azure AD as SAML IdP and Citrix ADC as SAML SP
The SAML Service Provider (SP) is a SAML entity that is deployed by the service provider. When a user tries to access a protected application, the SP evaluates the client request. If the client is unauthenticated (does not have a valid NSC_TMAA or NSC_TMAS cookie), the SP redirects the request to the SAML Identity Provider (IdP). The SP also validates SAML assertions that are received from the IdP.
The SAML IdP (Identity Provider) is a SAML entity that is deployed on the customer network. The IdP receives requests from the SAML SP and redirects users to a logon page, where they must enter their credentials. The IdP authenticates these credentials with the user directory (external authentication server, such as LDAP) and then generates a SAML assertion that is sent to the SP. The SP validates the token, and the user is then granted access to the requested protected application.
The following diagram depicts the SAML authentication mechanism.
Azure AD side configurations
Configure single sign-on settings:
-
On the Azure portal, click Azure Active Directory.
-
Under Manage section in the navigation pane, click Enterprise Applications. A random sample of the applications in your Azure AD tenant appears.
-
In the search bar, enter Citrix ADC.
-
Under the Manage section, select Single sign-on.
-
Select SAML to configure single sign-on. The Set up Single Sign-On with SAML - Preview page appears. Here, Azure is acting as a SAML IdP.
-
Download certificate (Base64) present under SAML Signing Certificate to be used as samlidPCertName while configuring Citrix ADC as SAML SP.
-
Configure basic SAML options:
Identifier (Entity ID) - Required for some apps. Uniquely identifies the application for which single sign-on is being configured. Azure AD sends the identifier to the application as the audience parameter of the SAML token. The application is expected to validate it. This value also appears as the Entity ID in any SAML metadata provided by the application.
Reply URL - Mandatory. Specifies where the application expects to receive the SAML token. The reply URL is also referred as the Assertion Consumer Service (ACS) URL.
Sign-on URL - When a user opens this URL, the service provider redirects to Azure AD to authenticate and sign on the user.
Relay State - Specifies to the application where to redirect the user after the authentication is complete.
Citrix ADC side configurations
-
Navigate to Security>AAA-Policies>Authentication>Basic Policies>SAML.
-
Select Servers tab, click Add, enter values for the following parameters, and click Create.
Parameter description:
The value for parameters in bold needs to be taken from the Azure side configurations.
Name - Name of the server
Redirect URL - Enter the login URL used previously in the Azure AD “Setup Citrix ADC” section.
https://login.microsoftonline.com/3e6d1786-4e0c-4c70-86d2-ae7811f97f79/saml2
Single Logout URL -
https://login.microsoftonline.com/3e6d1786-4e0c-4c70-86d2-ae7811f97f79/saml2
SAML Binding - POST
Logout Binding - REDIRECT
IDP Certificate Name - IdPCert Certificate (Base64) present under SAML Signing Certificate.
User Field - userprincipalName. Taken from “User Attributes and Claims” section of Azure IdP.
Signing Certificate Name - Not needed for Azure AD. Select the SAML SP certificate (with private key) that Citrix ADC uses to sign authentication requests to the IdP. The same certificate (without private key) must be imported to the IdP, so that the IdP can verify the authentication request signature. This field is not needed by most IdPs.
IssuerName - Identifier.
https://idp.g.nssvctesting.net
Reject unsigned assertion - ON
Audience - Audience for which assertion sent by IdP is applicable. This is typically entity name or URL that represents ServiceProvider.
Signature Algorithm - RSA-SHA256
Digest Method - SHA256
Default Authentication Group - The default group that is chosen when the authentication succeeds in addition to extracted groups.
Group Name Field - Name of the tag in assertion that contains user groups.
Skew Time (mins) - This option specifies the allowed clock skew in number of minutes that Citrix ADC ServiceProvider allows on an incoming assertion.
Two factor - OFF
Requested Authentication Context - exact
Authentication Class Type - None
Send Thumbprint - OFF
Enforce Username - ON
Force Authentication - OFF
Store SAML Response - OFF
Similarily, create a corresponding SAML policy and bind it to the authentication virtual server.
Note: Azure AD does not expect the Subject ID field in the SAML request. For Citrix ADC to not send the Subject ID field, type the following command on the Citrix ADC command prompt.
nsapimgr_wr.sh -ys call="ns_saml_dont_send_subject"