This article explains how to integrate Citrix NetScaler with idenprotect Authentication Portal via SAML If there is not currently a Gateway Virtual Server configured, please consult this link - https://docs.citrix.com/en-us/citrix-gateway/12-1.html
Configuring Citrix NetScaler
Procedures Navigate to your NetScaler Admin console and click on Configuration -> Authentication -> Dashboard. You will see the screen similar to the one below:
On the Authentication Servers screen, click on "Add" button and select "SAML" from the Choose Server Type dropdown box, you will be presented with a Authentication Server Configuration page:
In the new window like above, you will need to enter the Name for the Authentication SAML Server and uncheck the "Import Metadata" checkbox and manually add the details The table below will explain the configuration in depth:
|Name||The name of the Authentication SAML Server. This allows us to find this Authentication server, and assign the SAML policy to it.|
|Import Metadata||Allows the Citrix NetScaler to import the idenprotect Authentication Portal Metadata (which includes the certificate, SingleSignOn, and SingleLogOut URLs.|
|SAML IDP Metadata URL||URL to the idenprotect Authentication Portal Metadata such as https://<idenprotect_Authentication_Portal_Server>/idp/metadata|
|Issuer Name||Issuer name is something that idenprotect Authentication Portal and Citrix Netscaler SP will share (They have to be the same) in this example we use "citrix.idenprotect.com" as a domain.|
|Signature Algorithm||Signature Algorithm should be set to RSA-SHA1 (supported by idenprotect Authentication Portal )|
|Digest Method||Digest Method should be set to SHA1 (supported by idenprotect Authentication Portal )|
After configuring the Authentication SAML Server click "Create" button at the bottom of the screen.
There is an issue with some versions of Citrix Netscaler that throw an error like Arguments cannot both be specified [samlIdPCertName, metadataUrl]
If this error occurs one way around this is to use the Netscaler CLI to create a basic entry for the SAML authentication server and then it can be edited in the GUI later
To do this first upload the certificate to the Netscaler then log onto the Netscaler Shell and use the command like
add authentication samlaction idenprotect -samlIDPCertName idp -samlredirectUrl https://fqdn
Where idp is the name given to the certificate that was uploaded
Navigate to Configuration -> Citrix Gateway -> Virtual Servers:
Click on the Citrix Gateway Virtual Server which you wish to integrate with the idenprotect Authentication Portal SAML Single Sign-On. You will see a configuration page for the Virtual Server:
Click on the "+" button next to the Basic Authentication this will allow you to set up the SAML Authentication Server. You will see a Policy screen:
Select SAML from the "Choose Policy" dropdown box and Primary (Authentication Type) from the "Choose Type" dropdown and click "Continue" button. You will be shown a new screen which allows you to create a new SAML Policy:
In here you will see all of the different SAML Policies, to create a new Policy you have to click on the "Add Binding" button which will let you set up the policy:
On this screen, you have to name the policy such as "SAML_iDENprotect_Policy" and select a SAML Authentication Server from the "Server" dropdown (select the server by the name that was given at the start of this article). After selecting the Server type into the Expression text box "ns_true" and click on the "Create" button:
Leave the "Priority" to a default 100 and Press Bind. This screen will disappear and you will be taken back to the Virtual Server Configuration page, where you will see a newly created SAML Policy as a Basic Authentication. Now you can scroll down and click on a "Done" button.
This completes the Citrix Netscaler configuration and you can now proceed to the next step to configure idenprotect Authentication Portal.
Configuring idenprotect Authentication Portal
Navigate to your idenprotect Core Platform Admin console and click on -> Config -> Authentication Portal -> Authentication Portal Service Providers.
After clicking on the Authentication Portal Service Providers you will see a Service Provider Configuration page:
In the configuration form please enter the details for your Citrix NetScaler Gateway Virtual Server, the table below will explain the configuration in-depth:
|Name||The name of the Service Provider which will be visible to the user and in the Push Notification (for the test purposes Citrix Netscaler is entered)|
|Type||Select SAML from the Type dropdown box for the SAML authentication.|
|Entity ID||Enter the Entity ID (the same Entity ID that was entered on the Citrix NetScaler SAML Authentication Server) for the test purposes we used "citrix.idenprotect.com"|
|ACS||ACS is the URL to your Citrix NetScaler Gateway Virtual Server|
|SSO URL||Single Sign-On is the URL to your Citrix NetScaler Gateway Virtual Server|
|Country WhiteList||Type in the country codes which are whitelisted to authenticate to the Citrix NetScaler (leave blank if any location is permitted)|
|Country BlackList||Type in the country codes which are blacklisted to authenticate to the Citrix NetScaler (leave blank if any location is permitted)|
|Upload New Logo:||Click on the "Choose file" button and select the logo for the Citrix NetScaler Gateway Virtual Server (This will be visible to the user when they access NetScaler from the idenprotect Authentication Portal Home Page)|
After adding the Service Provider configuration information click on the "Save Service Provider" button at the bottom of the screen. You will then be guided to the SAML Attributes configuration screen like below:
Leave this form blank and click on the "Save SAML Attributes" button, this will show you a popup to "Save SAML Attributes", click on the "Yes" button and the idenprotect Authentication Portal setup is complete.
There are two ways you can try to authenticate to the newly setup Citrix NetScaler Gateway Virtual Server, through idenprotect Authentication Portal Home page or going direct to the Virtual Server.
In your browser of choice navigate to your Virtual Server and you will be redirected to the idenprotect Authentication Portal. The screen will look similar to the one below:
On this screen Enter your e-mail address (registered and enrolled with the idenprotect Core Platform) and click on the "Authenticate" button. You will then be shown a page with a QR Code and an "Authenticate By Push Notification" button:
Take your enrolled mobile device and open idenprotect For Mobile application, you should see a screen like below which allows you to Scan a QR Code:
You can scan QR Code and you will be authenticated and redirected to the Citrix NetScaler Virtual Server.
Alternatively, you can click on the "Authenticate By Push Notification" button and you will receive a push notification to your device which will look similar to the screenshot below:
In your browser of choice navigate to the idenprotect Authentication Portal server and authenticate the same way as in the "Direct Authentication". After authenticating to the idenprotect Authentication Portal you will be shown a Home Page which contains all of the Service Providers. Click on the Citrix NetScaler Service Provider and you will be authenticated to your Citrix NetScaler Gateway Virtual Server.
Citrix NetScaler admin console will let the user check the logs, which include the SAML authentication logs. Please navigate to Configuration -> Authentication -> Logs.
On the right side of the Logs Page select the latest log file ns.log and you will be able to see the logs for each user. Like in the example above you can see that Authentication via SAML Server was successful