NetScaler as SAML IdP - SP without referral information

[Kari Ruissalo | 73]

I've successfully implemented NetScaler as SAML IdP for a customer environment for one SaaS service but now I'm facing the next challenge; The SAML IdP action needs to be different for each SaaS service (naturally...) and the mechanism to apply different SAML IdP actions is to use SAML IdP Policy expression for targetting.

 

In the examples I found the Policy expression relies on the referer information sent in the HTTP header. However, in the SaaS services this information is not sent in the HTTP header. I know the SP side information is included with the SAML data, but I have no clue on how to dig that out for the policy engine to allow targetting the SAML IdP actions properly.

 

So is there a way around this or is it just easier to reserve another name and IP for another AAA vServer and configure the other SaaS service to use that one as IdP? This is should be doable with the two SaaS services we're implementing, but if the amount grows it would be certainly nice to consolidate everything to one IP.

 

I was thinking of setting up a Content Switching vServer in front of the service, create per SaaS service URLs and then apply the IdP policy based on the requested URL. I'm not sure if this is possible. Here's a diagram of how far I got wit the idea, but I'm suspicious whether the Redirect is an option (... responder policy is handled earlier, so the rewrite wouldn't hit? So rewrite on CS and responder on the target LB or sth...?)

[siddharthas | 428]

Check this out  https://support.citrix.com/article/CTX230369

 

If you do not want the sso experience (across the SPs), the trick is to have the SPs point to separate idp fqdns but still resolving and landing on the same aaa vserver.

 

In both cases (with or without sso across the SPs) one aaa vserver is sufficient.

[Kari Ruissalo | 73]

Thank you. I wasn't aware of such article. However, that article doesn't discuss about using different FQDNs? ... the issue for me is that if need need multiple FQDNs, we need to use SNI for binding multiple certs or request for a SAN certificate.

[siddharthas | 428]

I assume that means you want to point your SPs at different IDP FQDNs but in the end all resolving and landing on the same AAA Vserver ? If yes - either of the following will work

 

1. You can use wildcard cert, e.g. *auth.com and point your SPs to different aaa1.auth.com, aaa2.auth.com , this would be a simple and straight-forward deployment. 

2. if wildcard is not feasible, you can surely go for a SAN Cert that includes all the FQDNs. While binding this cert to the AAA Vserver just select the "Server Certificate for SNI" option.

[Kari Ruissalo | 73]

Yeah... well bottom line however is that that's the easiest way to achieve this without allocating more IP addresses. Thank you for answering.

 

If the referral information would be sent always, that would help tremendously in targetting the SAML IdP Profiles, but as this is not the case, having multiple FQDNs is the next best thing :)

[Vamsi Krishna Kanduri | 338]

Hi Kari,

 

We can configure as follows

 

CS VIP-->CS policy (xyz.company.com) --> LB VServer (Formbased (IDP Profile))--> Dummy LB IP (To bring the server UP)

 

Easy way is to try with traffic policy as well like we configure IDP initiated

 

1.       Lb/CS Vserver . Have a dummy backend server to bring the service UP

a.       For example, all urls could be https://lb.company.com/samlsso/app1, https://xyz.company.com/samlsso/app1 and so on

b.       then you configure tm traffic policy such that if url contains lb.company.com to Traffic policy 1 and xyz.company.com to traffic policy 2

c.        Inside the SAML profile, change the relaystaterule as target URL (SP)

 

add tm samlSSOProfile SAML_IDP_Initiated -samlSigningCertName Wildcard_new_repro.cer -assertionConsumerServiceURL "https://test.repro.lab/cgi/samlauth" -relaystateRule "\"https://test.repro.lab\"" -sendPassword ON -samlIssuerName saml-sp.repro.lab -audience "https://saml-sp.repro.lab/cgi/samlauth" -samlSPCertName Wildcard_new_repro.cer -skewTime 50

 

add tm trafficPolicy SAML_IDP_Initiated HTTP.REQ.HOSTNAME "xyz.company.com" SAML_IDP_Initiated_Proile

 

Thanks,

Vamsi

[Kari Ruissalo | 73]

Hi Vamsi,

 

So in my case I should have only one hostname "idp.corp.com" and two URLs "/samlsso/app1" and "/samlsso/app2". On the Content Switch I would refer the /app1 to LB1 and the /app2 to LB2?

 

After this I get a bit confused...? The Traffic policy should be bound on the LB or CS vServer? If I bind it on the LB level, I think that we could use a "catch all expression"?

 

Do you happen to have a configuration example? It would certainly help.

 

I also need to retrofit this to the existing environment, so probably I need to put the additional SPs with that app-specific URL and direct the remaining traffic from the CS vServer to the "default AAA vServer"?

[Vamsi Krishna Kanduri | 338]

Hi Karl,

 

You need SP initiated or IDP Initiated config?

 

If this is SP initiated, then you need to configure the formbased authentication at the LB  VIP inorder to redirect to the AAA VIP for "/samlsso/app1"

If this is IDP initiated, then a traffic policy with /samlsso/app1 along SAMLIDP profile will do it.

 

Thanks,

Vamsi

 

[Kari Ruissalo | 73]

22 hours ago, Vamsi Krishna Kanduri said:

You need SP initiated or IDP Initiated config?

 

If this is SP initiated, then you need to configure the formbased authentication at the LB  VIP inorder to redirect to the AAA VIP for "/samlsso/app1"

If this is IDP initiated, then a traffic policy with /samlsso/app1 along SAMLIDP profile will do it.

 

 

It's an SP initiated config.

 

Do you happen to have an example config somewhere at hand? Does this mean that we need to implement a forms based AAA vServer? I'm using this in the internal network so I'm actually using Negotiate on the AAA vServer (nFactor for extracting the LDAP attributes for the assertion). This is one of the customer requirements ("seamless SSO to the SaaS application"). I've done the internal configuration pretty much the same way as in this article.

[Vamsi Krishna Kanduri | 338]

Hi Kari,

 

Article is right. At what point it is failing now?

Did you added site to local internet ?

 

 

Execute below commands to verify if the kerberos is configured correctly.

 

Goal is to get the empty response after executing  below commands.

 

/netscaler/nskrb kinit --password=Citrix1 Administrator@repro.lab

 

/netscaler/nskrb kgetcred -c /tmp/krb5cc_0 --out-cache=/tmp/imper_cache --impersonate=abc@repro.lab Administrator@repro.lab

 

/netscaler/nskrb kgetcred --delegation-credential=/tmp/imper_cache --out-cache=/tmp/service_cache http/SF.repro.lab@repro.lab

 

Administrator@repro.lab is the service account

abc@repro.lab is the user account

Sf.repro.lab is the service delegated. 

 

Thanks,

Vamsi

[Kari Ruissalo | 73]

Hi,

 

I have a ticket open for the Kerberos stuff, but I appreaciate the diagnostics commands.

 

My issue with Kerberos is that the Active Directory domain is "ad.corporate.com" and the userPrincipalNames are "first.last@corporate.com" so the DNS query for the SRV record "_kerberos._tcp.corporate.com" doesn't return anything (the customer actually has the public DNS zone "corporate.com" as an AD integrated zone, so I'm thinking of adding those SRV records manually...). I don't know if adding DNS suffixes to the NetScaler configuration would help in this one,  doesn't seem likely though... but that being said, I'll continue that investigation under the ticket.

 

Did you have a configuration example for the SAML IdP with multiple SPs? I can check if I could apply that to my setup.

 

-K