Citrix ADC as a SAML SP
The SAML Service Provider (SP) is a SAML entity deployed by the service provider. When a user tries to access a protected application, the SP evaluates the client request. If the client is unauthenticated (does not have a valid NSC_TMAA or NSC_TMAS cookie), the SP redirects the request to the SAML Identity Provider (IdP).
The SP also validates SAML assertions that are received from the IdP.
When the Citrix ADC appliance is configured as an SP, all user requests are received by a traffic management virtual server (load balancing or content switching) that is associated with the relevant SAML action.
The Citrix ADC appliance also supports POST and Redirect bindings during logout.
A Citrix ADC appliance can be used as a SAML SP in a deployment where the SAML IdP is configured either on the appliance or on any external SAML IdP.
When used as a SAML SP, a Citrix ADC appliance:
Can extract the user information (attributes) from the SAML token. This information can then be used in the policies that are configured on the Citrix ADC appliance. For example, if you want to extract the GroupMember and emailaddress attributes, in the SAMLAction, specify the Attribute2 parameter as GroupMember and the Attribute3 parameter as emailaddress.
Default attributes such as username, password, and logout URL must not be extracted in attributes 1–16, because they as are implicitly parsed and stored in the session.
Can extract attribute names of up to 127 bytes from an incoming SAML assertion. The previous limit was 63 bytes.
Supports post, redirect, and artifact bindings.
Redirect binding should not be used for large amount of data, when the assertion after inflate or decoding is greater than 10K.
Can decrypt assertions.
Can extract multi-valued attributes from a SAML assertion. These attributes are sent is nested XML tags such as:
<AttributeValue> <AttributeValue>Value1</AttributeValue> <AttributeValue>Value2</AttributeValue> </AttributeValue>
From Citrix ADC 13.0 Build 63.x and above, the individual maximum length for SAML attributes has been increased to allow a maximum of 40k bytes. The size of all the attributes must not exceed 40k bytes.
When presented with previous XML, the Citrix ADC appliance can extract both Value1 and Value2 as values of a given attribute, as opposed to the old firmware that extracts only Value1.
Can specify the validity of a SAML assertion.
If the system time on Citrix ADC SAML IdP and the peer SAML SP is not in sync, the messages might get invalidated by either party. To avoid such cases, you can now configure the time duration for which the assertions are valid.
This duration, called the “skew time,” specifies the number of minutes for which the message should be accepted. The skew time can be configured on the SAML SP and the SAML IdP.
Can send extra attribute called ‘ForceAuth’ in the authentication request to external IdP (Identity Provider). By default, the ForceAuthn is set to ‘False’. It can be set to ‘True’ to suggest IdP to force authentication despite existing authentication context. Also, Citrix ADC SP does authentication request in query parameter when configured with artifact binding.
To configure the Citrix ADC appliance as a SAML SP by using the command line interface
Configure a SAML SP action.
The following command adds a SAML action that redirects unauthenticated user requests.
add authentication samlAction SamlSPAct1 -samlIdPCertName nssp -samlSigningCertName nssp –samlRedirectUrl https://auth1.example.com -relaystateRule "AAA.LOGIN.RELAYSTATE.EQ(\"https://lb.example1.com/\")"
Points to note
- Certificate provided for
-samlIdPCertNamein the samlAction command must match the corresponding certificate from IdP for the signature verification to succeed.
- SAML supports only RSA certificate. Other certificates like HSM, FIPS, and so on are not supported.
- Citrix recommends to have a full domain name with trailing ‘/’ in the expression.
- Administrators must configure an expression for relaysStateRule in the samlAction command. The expression must contain the list of published domains that the user connects to before being redirected to the authentication virtual server. For example, the expression must contain the domains of the front-end virtual server (VPN, LB, or CS) that use this SAML action for authentication.
For more details on the command, see https://developer-docs.citrix.com/projects/citrix-adc-command-reference/en/latest/authentication/authentication-samlAction and https://support.citrix.com/article/CTX316577.
- Certificate provided for
Configure the SAML policy.
The following command defines a SAML policy that applies the previously defined SAML action to all traffic.
add authentication policy SamlSPPol1 -rule true -action SamlSPAct1
Bind the SAML policy to the authentication virtual server.
The following command binds the SAML policy to an authentication virtual server named “av_saml”.
bind authentication vserver av_saml -policy SamlSPPol1
Bind the authentication virtual server to the appropriate traffic management virtual server.
The following command adds a load balancing virtual server named “lb1_ssl” and associates the authentication virtual server named “av_saml” to the load balancing virtual server.
add lb vserver lb1_ssl SSL 10.217.28.224 443 -persistenceType NONE -cltTimeout 180 -AuthenticationHost auth1.example.com -Authentication ON -authnVsName av_saml
For more details on the command, see https://developer-docs.citrix.com/projects/citrix-adc-command-reference/en/latest/authentication/authentication-samlAction
To configure a Citrix ADC appliance as a SAML SP by using the GUI
Navigate to Security>AAA-Policies>Authentication>Basic Policies>SAML.
Select Servers tab, click Add, enter values for the following parameters, and click Create.
Name - Name of the server
Redirect URL - URL that users will authenticate against. Some IdP’s have special URLs that are not reachable unless under SAML setup.
Single Logout URL - URL specified so that the Citrix ADC can recognize when to send the client back to the IdP to complete the Sign out process. We will not use it in this simple deployment.
SAML Binding - Method that is be used to move the client from the SP to the IdP. This needs to be the same on the IdP so that it understands how the client will connect to it. When the Citrix ADC acts as an SP, it supports POST, REDIRECT and ARTIFACT bindings.
Logout Binding - REDIRECT
IDP Certificate Name - IdPCert Certificate (Base64) present under SAML Signing Certificate.
User Field - Section of the IdP’s SAML authentication form that contains the username for SP to extract if required.
Signing Certificate Name - Select the SAML SP certificate (with private key) that Citrix ADC uses to sign authentication requests to the IdP. The same certificate (without private key) must be imported to the IdP, so that the IdP can verify the authentication request signature. This field is not needed by most IdPs.
IssuerName - Identifier. Unique ID that is specified on both the SP and IdP to help identify the Service Provider to each other.
Reject unsigned assertion - Option that you can specify if you require the Assertions from the IdP to be signed. You can ensure that only the Assertion needs to be signed (ON) or both the Assertion and Response from the IdP need to be signed (STRICT).
Audience - Audience for which assertion sent by IdP is applicable. This is typically entity name or URL that represents ServiceProvider.
Signature Algorithm - RSA-SHA256
Digest Method - SHA256
Default Authentication Group - The default group that is chosen when the authentication succeeds in addition to extracted groups.
Group Name Field - Name of the tag in assertion that contains user groups.
Skew Time (mins) - This option specifies the allowed clock skew in number of minutes that Citrix ADC ServiceProvider allows on an incoming assertion.
Similarily, create a corresponding SAML policy and bind it to the authentication virtual server.
Navigate to Security > AAA - Application Traffic > Virtual Servers, and associate the SAML policy with the authentication virtual server.
Associate the authentication server with the appropriate traffic management virtual server.
Navigate to Traffic Management > Load Balancing (or Content Switching) > Virtual Servers, select the virtual server, and associate the authentication virtual server with it.