Product Documentation

SAML Authentication

May 24, 2018

Security Assertion Markup Language (SAML) is an XML-based authentication mechanism that provides single sign-on capability and is defined by the OASIS Security Services Technical Committee.

Why SAML?

Consider a scenario in which a service provider (LargeProvider) hosts a number of applications for a customer (BigCompany). BigCompany has users that must seamlessly access these applications. In a traditional setup, LargeProvider would need to maintain a database of users of BigCompany. This raises some concerns for each of the following stakeholders:

  • LargeProvider must ensure security of user data.
  • BigCompany must validate the users and keep the user data up-to-date, not just in its own database, but also in the user database maintained by LargeProvider. For example, a user removed from the BigCompany database must also be removed from the LargeProvider database.
  • A user has to log on individually to each of the hosted applications.

The SAML authentication mechanism provides an alternative approach. The following deployment diagram shows how SAML works.

localized image

The concerns raised by traditional authentication mechanisms are resolved as follows:

  • LargeProvider does not have to maintain a database for BigCompany users. Freed from identity management, LargeProvider can concentrate on providing better services.
  • BigCompany does not bear the burden of making sure the LargeProvider user database is kept in sync with its own user database.
  • A user can log on once, to one application hosted on LargeProvider, and be automatically logged on to the other applications that are hosted there.

The NetScaler appliance can be deployed as a SAML Service Provider (SP) and a SAML Identity Provider (IdP). Read through the relevant topics to understand the configurations that must be performed on the NetScaler appliance.

A NetScaler appliance configured as a SAML service provider can now enforce an audience restriction check. The audience restriction condition evaluates to “Valid” only if the SAML replying party is a member of at least one of the specified audiences.

You can configure a NetScaler appliance to parse attributes in SAML assertions as group attributes. Parsing them as group attributes enables the appliance to bind policies to the groups.

Note: A NetScaler MPX FIPS appliance used as a SAML service provider now supports encrypted assertions. Also, a NetScaler MPX FIPS appliance functioning as a SAML service provider or a SAML identity provider can now be configured to use the SHA2 algorithms on FIPS hardware.

Configuring FIPS offload support using the command line interface:

    1.  Add SSL FIPS key

        add ssl fipsKey fips-key

    2. Create a CSR and use it at CA server to generate a certificate. You can then copy the certificate in /nsconfig/ssl. Let’s assume that the file is fips3cert.cer.

       add ssl certKey fips-cert -cert fips3cert.cer -fipsKey fips-key

    3.  Specify this certificate in the SAML action for SAML SP module

        set samlAction <name> -samlSigningCertName fips-cert

    4.  Use the certificate in samlIdpProfile for SAML IDP module

        set samlidpprofile fipstest –samlIdpCertName fips-cert

The following table lists some articles that are specific to deployments where the NetScaler appliance is used as a SAML SP or a SAML IdP.

SAML SP SAML IdP Information Link

NetScaler

Citrix AppController Z3

NetScaler

CloudGateway

NetScaler

Microsoft AD FS 2.0

NetScaler

Shibboleth

NetScaler

Shibboleth (With SAML single logout configuration)

Siteminder

NetScaler

ShareFile

NetScaler

WebView credential type support for authentication mechanisms

The authentication of a NetScaler appliance can now support AUTHv3 protocol. The WebView credential type in AUTHv3 protocol support all type of authentication mechanisms (including SAML and OAuth). The WebView credential type is a part of AUTHv3, which is implemented by Citrix Receiver and browser in web applications. 

The following example explains the flow of WebView events through NetScaler Gateway and Citrix Receiver:

  1. The Citrix Receiver negotiates to NetScaler Gateway for AUTHv3 protocol support.
  2. NetScaler appliance responds positively and suggests a specific start URL.
  3. Citrix Receiver then connects to the specific endpoint (URL).
  4. The NetScaler Gateway sends a response to the client to start the WebView.
  5. Citrix Receiver starts WebView and sends initial request to NetScaler appliance.
  6. NetScaler appliance redirects URI to browser login endpoint.
  7. Once authentication is complete, NetScaler appliance sends completion response to WebView.
  8. The WebView now exits and gives control back to Citrix Receiver to continue AUTHv3 protocol for session establishment.