Product Documentation
ADC
14.1 - Current Release 13.1 13.0 12.1
View PDF

Citrix ADC as a SAML SP

September 14, 2021
Contributed by: 
S C

The SAML Service Provider (SP) is a SAML entity deployed by the service provider. When a user tries to access a protected application, the SP evaluates the client request. If the client is unauthenticated (does not have a valid NSC_TMAA or NSC_TMAS cookie), the SP redirects the request to the SAML Identity Provider (IdP).

The SP also validates SAML assertions that are received from the IdP.

When the Citrix ADC appliance is configured as an SP, all user requests are received by a traffic management virtual server (load balancing or content switching). The requests are associated with the relevant SAML action.

The Citrix ADC appliance also supports POST and Redirect bindings during logout.

Note

A Citrix ADC appliance can be used as a SAML SP in a deployment where the SAML IdP is configured either on the appliance or on any external SAML IdP.

When used as a SAML SP, a Citrix ADC appliance:

  • Can extract the user information (attributes) from the SAML token. This information can then be used in the policies that are configured on the Citrix ADC appliance. For example, if you want to extract the GroupMember and emailaddress attributes, in the SAMLAction, specify the Attribute2 parameter as GroupMember and the Attribute3 parameter as emailaddress.

    Note

    Default attributes such as username, password, and logout URL must not be extracted in attributes 1–16, because they as are implicitly parsed and stored in the session.

  • Can extract attribute names of up to 127 bytes from an incoming SAML assertion. The previous limit was 63 bytes. Support introduced in NetScaler 11.0 Build 64.x.

  • Supports post, redirect, and artifact bindings. Support for redirect and artifact bindings is introduced in NetScaler 11.0 Build 55.x.

    Note

    Redirect binding must not be used for a large amount of data, when the assertion after inflate or decoding is greater than 10K.

  • Can decrypt assertions. Support introduced in NetScaler 11.0 Build 55.x.

  • Can extract multi-valued attributes from a SAML assertion. These attributes are sent is nested XML tags such as:

    <AttributeValue> <AttributeValue>Value1</AttributeValue> <AttributeValue>Value2</AttributeValue> </AttributeValue>

    When presented with previous XML, the Citrix ADC appliance can extract both Value1 and Value2 as values of a given attribute, as opposed to the old firmware that extracts only Value1.

    Note

    Support introduced in NetScaler 11.0 Build 64.x.

  • Can specify the validity of a SAML assertion.

    If the system time on Citrix ADC SAML IdP and the peer SAML SP is not in sync, the messages might get invalidated by either party. To avoid such cases, you can now configure the time duration for which the assertions are valid.

    This duration, called the “skew time,” specifies the number of minutes for which the message must be accepted. The skew time can be configured on the SAML SP and the SAML IdP.

    Note

    Support introduced in NetScaler 11.0 Build 64.x.

  • Can send an extra attribute called ‘ForceAuth’ in the authentication request to external IdP (Identity Provider). By default, the ForceAuthn is set to ‘False’. It can be set to ‘True’ to suggest IdP to force authentication despite existing authentication context. Also, Citrix ADC SP does an authentication request in the query parameter when configured with artifact binding.

To configure the Citrix ADC appliance as a SAML SP by using the command line interface

  1. Configure a SAML SP action.

    Example

    The following command adds a SAML action that redirects unauthenticated user requests.

    add authentication samlAction SamlSPAct1 -samlIdPCertName nssp –samlRedirectUrl https://auth1.example.com<!--NeedCopy-->

  2. Configure the SAML policy.

    Example

    The following command defines a SAML policy that applies the previous defined SAML action to all traffic.

    add authentication samlPolicy SamlSPPol1 ns_true SamlSPAct1<!--NeedCopy-->

  3. Bind the SAML policy to the authentication virtual server.

    Example

    The following command binds the SAML policy to an authentication virtual server named “av_saml”.

    bind authentication vserver av_saml -policy SamlSPPol1<!--NeedCopy-->

  4. Bind the authentication virtual server to the appropriate traffic management virtual server.

    Example

    The following command adds a load balancing virtual server named “lb1_ssl” and associates the authentication virtual server named “av_saml” to the load balancing virtual server.

    add lb vserver lb1_ssl SSL 10.217.28.224 443 -persistenceType NONE -cltTimeout 180 -AuthenticationHost auth1.example.com -Authentication ON -authnVsName av_saml<!--NeedCopy-->

To configure a Citrix ADC appliance as a SAML SP by using the GUI

  1. Configure the SAML action and policy.

    Navigate to Security > AAA - Application Traffic > Policies > Authentication > Advanced Policies > Policy. Create a policy with SAML as the action type, and associate the required SAML action with the policy.

  2. Associate the SAML policy with an authentication virtual server.

    Navigate to Security > AAA - Application Traffic > Virtual Servers, and associate the SAML policy with the authentication virtual server.

  3. Associate the authentication server with the appropriate traffic management virtual server.

    Navigate to Traffic Management > Load Balancing (or Content Switching) > Virtual Servers, select the virtual server, and associate the authentication virtual server with it.

Increase of SessionIndex size in SAML SP

The SessionIndex size of the SAML Service Provider (SP) is increased to 96 bytes. Previously, the default maximum size of SessionIndex was 63 bytes.

Custom authentication class reference support for SAML SP

You can configure the custom authentication class reference attribute in the SAML action command. Using the custom authentication class reference attribute, you can customize the class names in the appropriate SAML tags. The custom authentication class reference attribute along with namespace is sent to the SAML IdP as part of SAML SP authentication request.

Previously, using SAML action command, you could configure only a set of predefined classes defined in authnCtxClassRef attribute.

Important

While configuring customAuthnCtxClassRef attribute, ensure the following:

  • The names of the classes must include alphanumeric characters or a valid URL with proper XML tags.
  • If you have to configure multiple custom classes, each class must be separated by commas.

To configure the customAuthnCtxClassRef attributes by using the CLI

At the command prompt, type:

  • add authentication samlAction <name> [-customAuthnCtxClassRef <string>]
  • set authentication samlAction <name> [-customAuthnCtxClassRef <string>]

Example:

  • add authentication samlAction samlact1 –customAuthnCtxClassRef http://www.class1.com/LoA1,http://www.class2.com/LoA2
  • set authentication samlAction samlact2 –customAuthnCtxClassRef http://www.class3.com/LoA1,http://www.class4.com/LoA2

To configure the customAuthnCtxClassRef attributes by using the GUI

  1. Navigate to Security > AAA - Application Traffic > Policies > Authentication > Advanced Policies > Actions > SAML.
  2. On the SAML page, select Servers tab and click Add.
  3. On the Create Authentication SAML Server page, enter the name for SAML action.

  4. Scroll down to configure the class types in Custom Authentication Class Types section.

    custom authentication class types

Citrix ADC as a SAML SP
September 14, 2021
Contributed by: 
S C
September 14, 2021
Contributed by: 
S C

In this article

Site feedback | Privacy and legal terms | Cookie preferences | Consent settings | docs.cloud.com
© 1999- Cloud Software Group, Inc. All rights reserved.