Product Documentation

OAuth Authentication

Aug 31, 2016

The NetScaler AAA-TM feature now supports OAuth and OpenID-Connect mechanisms for authenticating and authorizing users to applications that are hosted on applications such as Google, Facebook, and Twitter.


OAuth on NetScaler is currently qualified only for Google applications.

A major advantage is that user information is not sent to the hosted applications and therefore the risk of identity theft is considerably reduced.

In the NetScaler implementation, the application to be accessed is represented by the AAA-TM virtual server. So, to configure OAuth, you must configure an OAuth policy which which must then be associated with a AAA-TM virtual server.

To configure OAuth by using the command line interface

  1. Define an OAuth action.
    add authentication OAuthAction <name> -authorizationEndpoint <URL> -tokenEndpoint <URL> [-idtokenDecryptEndpoint <URL>] -clientID <string> -clientSecret <string> [-defaultAuthenticationGroup <string>] [-Attribute1 <string>] [-Attribute2 <string>] [-Attribute3 <string>] ...

  2. Associate the action with an advanced authentication policy.
    > add authentication Policy <name> -rule <expression> -action <string>


  • Refer to the man page for information on the parameters.
  • Attributes (1 to 16) can be extracted in the OAuth response. Currently, these attributes are not evalauted. They are added for future reference.

To configure OAuth by using the graphical user interface

  1. Configure the OAuth action and policy.
    Navigate to Security > AAA - Application Traffic > Policies > Authentication > Advanced Policies > Policy, and create a policy with OAuth as the action type, and associate the required OAuth action with the policy.

  2. Associate the OAuth policy with an authentication virtual server.
    Navigate to Security > AAA - Application Traffic > Virtual Servers, and associate the OAuth policy with the authentication virtual server.