Jump to content


Photo

NetScaler Gateway 11 SAML + Group Extraction

Started by Brad Flint , 23 November 2015 - 09:48 PM
4 replies to this topic

Best Answer Jenna Egly , 02 February 2016 - 10:26 PM

Bind the ldap policy as the secondary authentication

Brad Flint Members

Brad Flint
  • 14 posts

Posted 23 November 2015 - 09:48 PM

Hello,

 

I am trying to configure the authentication and authorization for a new NetScaler Gateway instance.  I want to use our existing SAML Identity Provider for authentication, so I set up the gateway as a SAML Service Provider.  I configured my SAML server and policy, and bound the policy to the NetScaler Gateway virtual server as the primary authentication policy.  I then created an LDAP server (with authentication disabled) and policy, and bound the policy to the NetScaler Gateway virtual server as a Group Extraction.

 

I was thinking that the SAML policy would be processed, my user account would be authenticated, and then my user account could be used by the gateway to perform the group lookup via LDAP.  Instead, the SAML policy is processed and the Group Extraction policy is not.  I was hoping to use the Group Extraction results for authorization in conjunction with AAA groups.  So far, no results from my open case with Citrix support.  I'm hoping some of the bright folks here have achieved this or can help me figure it out.

 

Authentication = SAML

Authorization = LDAP groups

 

Another acceptable option would be if there were a way to extract groups from the SAML response and use those for authorization.  I haven't been able to figure out how to do either of these.

 

Thank you!



Jenna Egly Members

Jenna Egly
  • 24 posts

Posted 02 February 2016 - 10:26 PM

Bind the ldap policy as the secondary authentication


Best Answer

Admin Siege Members

Admin Siege
  • 2 posts

Posted 03 February 2016 - 08:26 AM

Hello,

 

I am trying to use authentication with SAML + multi domain group extract.

I'm biding SAML Policy for my primary authentication and 2 LDAP Policy without authentication for my secondary.

 

It work fine with the first domain (lower priority) but users in the secondary domain can' login.

 

Best regards,



Robert Berggren Members

Robert Berggren
  • 17 posts

Posted 10 April 2017 - 08:09 AM

Hello,

 

I am trying to configure the authentication and authorization for a new NetScaler Gateway instance.  I want to use our existing SAML Identity Provider for authentication, so I set up the gateway as a SAML Service Provider.  I configured my SAML server and policy, and bound the policy to the NetScaler Gateway virtual server as the primary authentication policy.  I then created an LDAP server (with authentication disabled) and policy, and bound the policy to the NetScaler Gateway virtual server as a Group Extraction.

 

I was thinking that the SAML policy would be processed, my user account would be authenticated, and then my user account could be used by the gateway to perform the group lookup via LDAP.  Instead, the SAML policy is processed and the Group Extraction policy is not.  I was hoping to use the Group Extraction results for authorization in conjunction with AAA groups.  So far, no results from my open case with Citrix support.  I'm hoping some of the bright folks here have achieved this or can help me figure it out.

 

Authentication = SAML

Authorization = LDAP groups

 

Another acceptable option would be if there were a way to extract groups from the SAML response and use those for authorization.  I haven't been able to figure out how to do either of these.

 

Thank you!

 

Hi,

 

Did you get this to work? I am in the same situation as you and need to authenticate with an other IDP. 

 

/Robert



Brad Flint Members

Brad Flint
  • 14 posts

Posted 10 April 2017 - 12:14 PM

Yes, it works with the binding the LDAP policy as Secondary, under the basic policy model (which is what NetScaler Gateway would use unless you configure it to use an auth policy).  If you use advanced authentication using a AAA vserver, you can set up SAML as first factor and group extraction as next factor as well.