Citrix ADC

OAuth authentication

The authentication, authorization, and auditing traffic management feature supports OAuth and OpenID Connect (OIDC) authentication. It authorizes and authenticates users to services that are hosted on applications such as Google, Facebook, and Twitter.

Points to note

  • Citrix ADC Advanced Edition and higher is required for the solution to work.
  • A Citrix ADC appliance must be on version 12.1 or later for the appliance to work as an OAuth IdP using OIDC.
  • OAuth on a Citrix ADC appliance is qualified for all SAML IdPs that are compliant with “OpenID connect 2.0”.

A Citrix ADC appliance can be configured to behave as a Service Provider (SP) or an Identity Provider (IdP), using SAML and OIDC. Previously, a Citrix ADC appliance configured as IdP supported only SAML protocol. Starting from Citrix ADC 12.1 version, Citrix ADC supports the OIDC as well.

OIDC is an extension to OAuth authorization/delegation. A Citrix ADC appliance supports OAuth and OIDC protocols in the same class of other authentication mechanisms. OIDC is an add-on to OAuth as it provides a way for getting user information from the authorization server as opposed to OAuth that gets only a token which cannot be gleaned for user information.

The authentication mechanism facilitates the inline verification of OpenID tokens. A Citrix ADC appliance can be configured to obtain certificates and verify signatures on the token.

A major advantage of using the OAuth and OIDC mechanisms is that the user information is not sent to the hosted applications. Therefore, the risk of identity theft is considerably reduced.

The Citrix ADC appliance configured for authentication, authorization, and auditing now accepts incoming tokens that are signed using the HMAC HS256 algorithm. In addition, the public keys of the SAML Identity Provider (IdP) are read from a file, instead of learning from a URL endpoint.

In the Citrix ADC implementation, the application is accessed by the authentication, authorization, and auditing traffic management virtual server. So, to configure OAuth, you must configure an OAuth policy which must then be associated with an authentication, authorization, and auditing traffic management virtual server.

Configure the OpenID Connect protocol

A Citrix ADC appliance can now be configured as an identity provider by using OIDC protocol. OIDC protocol strengthens the identity providing capabilities of the Citrix ADC appliance. You can now access the enterprise wide hosted application with a single sign-on. The OIDC offers more security by not transferring user password but works with tokens with specific lifetime. OIDC also is designed to integrate with non-browser clients such as apps and services. Therefore, many implementations adopt OIDC widely.

Advantages of having the OpenID Connect support

  • OIDC eliminates the overhead of maintaining multiple authentication passwords as the user has a single identity across the organization.
  • OIDC provides a robust security for your password as the password is shared only with your identity provider and not with any application you access.
  • OIDC has vast interoperability with various systems making it easier for the hosted applications to accept OpenID.
  • OIDC is a simple protocol that enables native clients to easily integrate with servers.

To configure a Citrix ADC appliance as an IdP using the OpenID Connect protocol by using GUI

  1. Navigate to Configuration > Security > AAA-Application Traffic > Policies > Authentication > Advanced Policies > OAuth IdP.

  2. Click Profile and click Add.

    On the Create Authentication OAuth IDP Profile screen, set values for the following parameters and click Create.

    • Name – Name of the authentication profile.
    • Client ID – Unique string that identifies SP.
    • Client Secret – Unique secret that identifies SP.
    • Redirect URL – Endpoint on SP to which code/token has to be posted.
    • Issuer Name – String that identifies IdP.
    • Audience – Target recipient for the token being sent by IdP. This might be checked by the recipient.
    • Skew Time – The time for which the token remains valid.
    • Default Authentication Group – A group added to the session for this profile to simplify policy evaluation and help in customizing policies.
  3. Click Policies and click Add.

  4. On the Create Authentication OAuth IDP Policy screen, set values for the following parameters and click Create.

    • Name The name of the authentication policy.
    • Action – Name of profile created earlier.
    • Log Action –Name of message log action to use when a request matches this policy. Not a mandatory filed.
    • Undefined-Result Action – Action to perform if the result of policy evaluation is undenfined(UNDEF). Not a mandatory field.
    • Expression – Default syntax expression that the policy uses to respond to specific request. For example, true.
    • Comments – Any comments about the policy.

Binding the OAuthIdP policy and LDAP policy to the authentication virtual server

  1. Navigate to Configuration > Security > AAA-Application Traffic > Policies >Authentication > Advanced Policies > Actions > LDAP.

  2. On LDAP Actions screen, click Add.

  3. On Create Authentication LDAP Server screen, set the values for the following parameters, and click Create.

    • Name – The name of the LDAP action
    • ServerName/ServerIP – Provide FQDN or IP of the LDAP server
    • Choose appropriate values for Security Type, Port, Server Type, Time-Out
    • Make sure Authentication is checked
    • Base DN – Base from which to start LDAP search. For example, dc=aaa,dc=local.
    • Administrator Bind DN: User name of the bind to LDAP server. For example, admin@aaa.local.
    • Administrator Password/Confirm Password: Password to bind LDAP
    • Click Test Connection to test your settings.
    • Server Logon Name Attribute: Choose “sAMAccountName”
    • Other fields are not mandatory and hence can be configured as required.
  4. Navigate to Configuration > Security > AAA-Application Traffic > Policies >Authentication > Advanced Policies > Policy.

  5. On Authentication Policies screen, click Add.

  6. On Create Authentication Policy page, set the values for the following parameters, and click Create.

    • Name – Name of the LDAP Authentication Policy.
    • Action Type – Choose LDAP.
    • Action – Choose the LDAP action.
    • Expression – Default syntax expression that the policy uses to respond to specific request. For example, true**.

To configure the Citrix ADC appliance as an IdP using the OpenID Connect protocol by using CLI

At the command prompt, type the following commands:

  • add authentication OAuthIDPProfile <name> [-clientID <string>][-clientSecret ][-redirectURL <URL>][-issuer <string>][-audience <string>][-skewTime <mins>] [-defaultAuthenticationGroup <string>]
  • add authentication OAuthIdPPolicy <name> -rule <expression> [-action <string> [-undefAction <string>] [-comment <string>][-logAction <string>]

  • add authentication ldapAction aaa-ldap-act -serverIP 10.0.0.10 -ldapBase "dc=aaa,dc=local"

  • ldapBindDn <administrator@aaa.local> -ldapBindDnPassword <password> -ldapLoginName sAMAccountName

  • add authentication policy aaa-ldap-adv-pol -rule true -action aaa-ldap-act

  • bind authentication vserver auth_vs -policy <ldap_policy_name> -priority 100 -gotoPriorityExpression NEXT

  • bind authentication vserver auth_vs -policy <OAuthIDPPolicyName> -priority 5 -gotoPriorityExpression END

  • bind vpn global –certkey <>

Note

You can bind more than one key. Public parts of certificates bound are sent in response to jwks\_uri query (https://gw/oauth/idp/certs).

OAuth authentication