14. Click Save and return to the Post Authentication page.
SAML Assertion / WS-Federation
15. Set the WSFed/SAML Issuer to a Unique Name that is shared with NetScaler.
The WSFed/SAML Issuer value must match exactly on the NetScaler side and on the SecureAuth IdP side.
16. Provide the SP Start URL to enable SSO and to redirect users appropriately to access Citrix NetScaler AGEE.
This would be the Citrix NetScaler VPN domain URL.
17. Set the SAML Offset Minutes to make up for time differences between devices.
18. Set the SAML Valid Hours to limit for how long the SAML assertion is valid.
19. Select the certificate to be used to sign the SAML assertion, which is the same certificate that will be uploaded to the NetScaler SAML Authentication Server.
20. Export this certificate and store it either on a local PC or on the NetScaler appliance.
SAML Attributes / WS Federation
21. Add a SAML Attribute with the Name Password.
22. Leave Namespace (1.1) empty.
23. Keep Format as Basic.
24. Select Aux ID 10 as the Value.
NOTE: Be sure Aux ID 10 is not already being used on this realm.
25. Click Save.
NetScaler Configuration Steps
Create SAML Server
1. On the NetScaler admin console, select NetScaler Gateway under Configuration, and expand Policies.
2. Select SAML under Authentication, and select the Servers tab.
3. Click Add.
Authentication SAML Server
4. Provide a Name for the SAML Authentication Server.
5. Click + in the IDP Certificate Name section to install the certificate from the SecureAuth IdP Web Admin (steps 13 - 14).
6. (In new window) Provide a Certificate-Key Pair Name.
7. (In new window) Select the certificate from the SecureAuth IdP Web Admin (in Base64 format) for the Certificate File Name.
8. (In new window) Click Install.
The Certificate now appears in the previous window under IDP Certificate Name.
9. Set the Redirect URL to the Fully Qualified Domain Name (FQDN) of the SecureAuth IdP appliance, followed by the NetScaler-integrated realm (configured above) – for example https://secureauth.company.com/secureauth2/secureauth.aspx
10. Set the User Field to NameID.
11. Set the Issuer Name to the same Unique Name set in the SecureAuth IdP Web Admin (step 9).
12. Select RSA-SHA256 as the Signature Algorithm and SHA256 as the Digest Method.
13. Click OK.
Create SAML Authentication Policy
13. Provide a Name for the Authentication SAML Policy.
14. Select the newly created SAML Authentication Server (steps 1 - 12) from the Server dropdown.
15. Set the Expression to ns_true
16. Click Create.
Create Traffic Profile
The Traffic Profile extracts the username and password from the SAML response and is used for SSO to backend servers, such as XenApp or StoreFront.
This profile is assigned to the configured NetScaler VIP, and must appear as the screenshot; however, creating SSO expressions for username and password require CLI commands that are listed in the following steps.
17. For now, create a new Traffic Profile that does not include these expressions.
Create Traffic Policy
18. Provide a Name for the new Traffic Policy.
19. Select the newly created Traffic Profile (step 17) from the Request Profile dropdown.
20. Set the Expression to ns_true
Creating the SSO Expressions needed for the Traffic Profile is currently unavailable via the GUI, so CLI is required to create them.
SecureAuth recommends seeking help from either a Citrix Admin or Citrix Technical Support for issues executing the commands.
21. Execute the following command: set vpn trafficAction test_profile -userExpression http.req.user.name -passwdExpression http.req.user.passwd
22. Once this command is executed successfully, the SSO expressions are set in the Traffic Profile (step 17).
23. Assign this newly created Traffic Policy to the NetScaler VIP.