Download - Integrating PingFederate with Citrix NetScaler as SAML SP · Citrix NetScaler as SAML SP ... Integrating PingFederate with Citrix NetScaler as SAML SP ... PingFederate by enabling

1Citrix.com

Solution Guide

Solution Guide

Integrating PingFederate with Citrix NetScaler as SAML SP

This guide focuses on defining the process for deploying PingFederate as an IdP, with NetScaler acting as the SAML SP.

2Citrix.com | Solution Guide | Integrating PingFederate with Citrix NetScaler as SAML SP

Solution GuideIntegrating PingFederate with Citrix NetScaler as SAML SP

Citrix NetScaler is a world-class product with the proven ability to load balance, accelerate, optimize, and secure enterprise applications.

NetScaler’s SAML integration capabilities allow current PingFederate (PingFederate) users to enable authentication for applications deployed on NetScaler through PingFederate, thus avoiding having to configure an additional authentication source.

Introduction

This solution allows the integration of PingFederate with NetScaler, enabling the use of PingFederate as an authentication source for applications deployed on NetScaler. The PingFederate® server is an identity federation server that provides secure single sign-on, API security and provisioning for enterprise customers, partners, and employees.

In this deployment, we will configure a content switching virtual server on NetScaler to enable multiple domain access with different FQDNs on a single IP address.

Configuration

Successful integration of a NetScaler appliance with PingFederate requires an appliance running NetScaler soft-ware release 11.1 or later, with an Enterprise or Platinum license.

NetScaler features to be enabled

The following feature must be enabled to use single sign-on with PingFederate: Authentication, authorization and auditing (AAA)The AAA feature controls NetScaler authentication, authorization, and auditing policies. These policies include definition and management of various authentication schemas. NetScaler supports a wide range of authentica-tion protocols.



Solution Description

Enabling SSO for PingFederate with NetScaler has two parts: configuring the PingFederate portal and config-uring the NetScaler appliance. PingFederate should be configured to use NetScaler as a third party SAML SP (Service Provider). The NetScaler appliance is configured as a SAML SP by creating the AAA Virtual Server that will host the SAML SP policy.

The following instructions assume that you have already created the appropriate external and/or internal DNS entries to route authentication requests to a NetScaler-monitored IP address, and that an SSL certificate has already been created and installed on the appliance for the SSL/HTTPS communication. This document also as-sumes that user accounts and the required user directories have been created and configured on PingFederate.

Before proceeding, you will require the certificate that the NetScaler appliance and PingFederate will use to verify the SAML request and response. To get the verification certificate from the NetScaler appliance, follow these steps:

• Log on to your NetScaler appliance, and then select the Configuration tab..• Select Traffic Management > SSL• On the right, under Tools, select Manage Certificates / Keys/ CSR’s

From the Manage Certificates window, browse to the certificate you will be using for your AAA Virtual Server. Select the certificate and choose the Download button. Save the certificate to a location of your choice.



Part 1: Configure PingFederate

To configure PingFederate, log on to your PingFederate account with administrator credentials, and then do the following:

1. On the PingFederate Administration page, click the IdP Configuration option to the left of the screen.

2. for Connection Type, enable Browser SSO Profiles with the Protocol as SAML 2.0



3. On the Connection Options page, enable Browser SSO.

4. Leave the Metadata URL page as is, as the configuration settings will be entered manually.5. Inthe General Info section, enter an appropriate entity ID and Connection name. These will be transmitted

during the SAML transaction for verification. (Here, we use NS2 for our sample setup)

6.



6. In the Browser SSO section, enable both IDP-Initiated and SP-Initiated SSO Profile Flows.

7. Leave the Assertion Lifetime settings at the default value (5). In the Assertion Creation section that fol-lows, set Identity Mapping to Standard and the Attribute Contract values to the default for SAML_SUBJECT. (These should be changed depending upon the application that is deployed. The specific SAML assertion requirements for different applications will vary)

8. To enable the authentication source mapping, we will need to create an adapter instance. PingFederate uses the adapters to communicate with various external authentication sources. In this example, we are using an LDAP authentication source, for which we will configure an HTML Form IDP Adapter.



9. Select the newly created adapter in the IdP Adapter Mapping section of the SP Connection Configuration.

10. Select Use Only the Adapter Contract Values in the SAML assertion. Leave the settings in the other sections at their default values. The Summary page for the configuration is shown below.



11. Now, select the credentials that will be used to sign the assertion.

12. Finally, the following configuration summary is displayed.



Validation

The configuration can be tested using the Quick Start App, which is available at https://docs.pingidentity.com/bundle/pa_sm_OverviewandQuickstart_pa41/page/pa_t_Download_and_Install_QS.html

https://docs.pingidentity.com/bundle/pa_sm_OverviewandQuickstart_pa41/page/pa_t_Download_and_Install_QS.html

https://docs.pingidentity.com/bundle/pa_sm_OverviewandQuickstart_pa41/page/pa_t_Download_and_Install_QS.html



Part 2: Configure the NetScaler Appliance

The following configuration is required on the NetScaler appliance for it to be supported as a SAML service provider for PingFederate:• SSL certificate with external and internal DNS configured for the FQDN presented by the certificate (Wild-

card certificates are supported.)• AAA virtual server• SAML policy and profileThis guide covers the configuration described above. The SSL certificate and DNS configurations should be in place prior to setup.

To Configure your AAA Virtual Server

An employee trying to log in to NetScaler is redirected to PingFederate for credential validation. The redirec-tion and subsequent assertion processing is handed by a AAA virtual server. The virtual server listens on port 443, which requires an SSL certificate. External and/or internal DNS resolution of the virtual server's IP address (which is on the NetScaler appliance) is also required. The following steps require a preexisting virtual server to be in place. In addition, they assume that DNS name resolution is already in place, and that the SSL certificate is already installed on your NetScaler appliance.1. On the NetScaler Configuration tab, navigate to Security > AAA – Application Traffic > Virtual Servers and

click the Add button.2. In the Authentication Virtual Server window, enter the virtual server's name and IP address. 3. Scroll down and make sure that the Authentication and State check boxes are selected.4. Click Continue.5. In the Certificates section, select No Server Certificate.6. In the Server Cert Key window, click Bind.7. Under SSL Certificates, choose your AAA SSL Certificate and select Insert. (Note – This is the certificate

that you provided as the signing certificate in the Service Provider setup in PingFederate.)8. Click Save, and then click Continue.

Configuring the SAML policy Click the plus (+) icon next to authentication. Then, on the Choose Type screen, select SAML and Primary.



On the next screen, enter a name for the policy. Then, click the plus (+) icon (or, if a SAML server has already been added, the pencil icon) next to the server name. Enter ns_true as the expression, because this policy is to be used for all authentication.

This next screen requires you to provide configuration settings. Here, for IDP certificate name, you will be re-quired to provide the certificate used by PingFederate to sign assertions sent to NetScaler.

The Redirect URL is http://<FQDN of the PingFederate server>:<port hosting PingFederate server>/idp/startS-SO.ping?PartnerSpID=<ID of the SP Connection as defined in PingFederate configuration>(The example redirect URL in the test environment is https://pingfed.ctxnssfb.com:9031/idp/startSSO.ping?PartnerSpId=NS2)



The signing certificate here is left blank as for our sample configuration, signed of assertions has not been en-abled. If enabled the signing certificate used should be added here. The issuer name should be set to the same name set in the PingFederate configuration. For basic configuration used as an example in this article , Reject Unsigned Assertion is set to OFF. The IDP certificate is the certificate that was added earlier to the NetScaler appliance during PingFederate configuration.

This completes configuration for SAML.



Conclusion

NetScaler provides a secure and seamless experience with PingFederate by enabling single sign-on with Ping-Federate account credentials, avoiding the need for users to remember multiple passwords and user IDs, while reducing the administrative overhead involved in maintaining these deployments.

Enterprise SalesNorth America | 800-424-8749 Worldwide | +1 408-790-8000

LocationsCorporate Headquarters | 851 Cypress Creek Road Fort Lauderdale, FL 33309 United States Silicon Valley | 4988 Great America Parkway Santa Clara, CA 95054 United States

Copyright© 2016 Inc. All rights reserved. Citrix, the Citrix logo, and other marks appearing herein are property of Citrix Systems, Inc. and/or one or more of its subsidiaries, and may be registered with the U.S. Patent and Trademark Office and in other countries. All other marks are the property of their respective owner/s.

Download - Integrating PingFederate with Citrix NetScaler as SAML SP · Citrix NetScaler as SAML SP ... Integrating PingFederate with Citrix NetScaler as SAML SP ... PingFederate by enabling

Top Related