integrating pingfederate with citrix netscaler pingfederate with citrix netscaler unified gateway as...

Click here to load reader

Post on 01-Apr-2018

222 views

Category:

Documents

4 download

Embed Size (px)

TRANSCRIPT

  • 1Citrix.com

    Solution Guide

    Solution Guide

    Integrating PingFederate with Citrix NetScaler Unified Gateway as SAML IDP

    This guide focuses on defining the process for deploying PingFederate as an SP, with NetScaler Unified Gateway acting as the SAML IdP.

  • 2Citrix.com | Solution Guide | Integrating PingFederate with Citrix NetScaler as SAML IDP

    Solution GuideIntegrating PingFederate with Citrix NetScaler as SAML IDP

    Citrix NetScaler Unified Gateway provides users with secure remote access to businessapplications deployed in the data center or a cloud across a range of devices including laptops,desktops, thin clients, tablets and smart phones. It provides a consolidated infrastructure,simplifies IT and reduces TCO of the data center infrastructure.

    NetScaler Unified Gateways SAML integration capabilities allow it to act as a SAML IDP (Identity Provider), enabling Oracle Fusion Middleware users to log on to their enterprise Oracle applications through NetScaler, removing the need to log on with PingFederate and avoiding having to configure an additional authentication source.

    Introduction

    This solution allows the integration of PingFederate with NetScaler Unified Gateway. This guide focuses on enabling PingFederate single sign on with Citrix NetScaler UG acting as a SAML IDP, allowing PingFederate bound applications to authenticate users with NetScaler UG credentials.

    The PingFederate server is a full-featured federation server that provides secure single sign-on, API security and provisioning for enterprise customers, partners, and employees.

    Configuration

    Successful integration of a NetScaler appliance with PingFederate requires an appliance running NetScaler soft-ware release 11.1 or later, with an Enterprise or Platinum license.

    NetScaler features to be enabled

    The following feature must be enabled to use single sign-on with PingFederate: SSLVPNThe SSLVPN feature is required for the use of Unified Gateway. It adds support for thecreation of SSL-based VPN virtual servers for secure enterprise application access.

  • 3Citrix.com | Solution Guide | Integrating PingFederate with Citrix NetScaler as SAML IDP

    Solution GuideIntegrating PingFederate with Citrix NetScaler as SAML IDP

    Solution Description

    Enabling SSO for PingFederate with NetScaler has two parts: configuring the PingFederate portal and config-uring the NetScaler appliance. PingFederate should be configured to use NetScaler as a third party SAML IDP (Identity Provider). The NetScaler is configured as a SAML IDP by creating the UG Virtual Server that will host the SAML IDP policy, along with the authentication (LDAP in our example) policy used to authenticate users for issuing the SAML token.

    The following instructions assume that you have already created the appropriate external and/or internal DNS entries to route authentication requests to a NetScaler-monitored IP address, and that an SSL certificate has already been created and installed on the appliance for the SSL/HTTPS communication. This document also as-sumes that user accounts and the required user directories have been created and configured on PingFederate.

    Before proceeding, you will require the certificate that PingFederate will use to verify the SAML assertion from NetScaler. To get the verification certificate from the NetScaler appliance, follow these steps:

    Log on to your NetScaler appliance, and then select the Configuration tab.. Select Traffic Management > SSL On the right, under Tools, select Manage Certificates / Keys/ CSRs

    From the Manage Certificates window, browse to the certificate you will be using for your UG Virtual Server. Select the certificate and choose the Download button. Save the certificate to a location of your choice.

  • 4Citrix.com | Solution Guide | Integrating PingFederate with Citrix NetScaler as SAML IDP

    Solution GuideIntegrating PingFederate with Citrix NetScaler as SAML IDP

    Part 1: Configure PingFederate

    To configure PingFederate, you should first create an adapter through which PingFederate will speak to NetScaler, then configure the same in an external IdP configuration. To complete this configuration, log on to your PingFederate account with administrator credentials, and then do the following:

    1. On the main configuration page, click the SP Configuration button to the left of the screen. Here, select thelink to create a new IdP connection on the right side of the page.

    2. On the new connection page, enter Browser SSO Profiles (Protocol SAML 2.0) as the Connection Type.

    3. In the next section for Connection Options, choose Browser SSO.4. Do not select anything in the Metadata URL section, as the information required will be entered manually.5. In the General Info section, enter an appropriate Entity ID (this will be specified in the NS appliance) and the.

    base URL for the NetScaler UG vservers SAML login page. (which will be hosting the SAML IDP policy) This will be of the form https:///saml/login.

  • 5Citrix.com | Solution Guide | Integrating PingFederate with Citrix NetScaler as SAML IDP

    Solution GuideIntegrating PingFederate with Citrix NetScaler as SAML IDP

    6. Leave the other settings at their default values in the General Info section. In the Browser SSO section,select the option to create a new SAML profile. Configure the same as shown below -

  • 6Citrix.com | Solution Guide | Integrating PingFederate with Citrix NetScaler as SAML IDP

    Solution GuideIntegrating PingFederate with Citrix NetScaler as SAML IDP

    7. Enter the following for Protocol Settings, and then view and confirm the summary.

  • 7Citrix.com | Solution Guide | Integrating PingFederate with Citrix NetScaler as SAML IDP

    Solution GuideIntegrating PingFederate with Citrix NetScaler as SAML IDP

    8. In the Credentials section, click on Configure Credentials. Configure credentials with the settings described below; the certificate to be used is the certificate that is bound to the UG vserver on NetScaler.

  • 8Citrix.com | Solution Guide | Integrating PingFederate with Citrix NetScaler as SAML IDP

    Solution GuideIntegrating PingFederate with Citrix NetScaler as SAML IDP

    8. Save the credentials, then select them and move on to Activation and Summary.

    9. Confirm the settings are correct on the summary page.

  • 9Citrix.com | Solution Guide | Integrating PingFederate with Citrix NetScaler as SAML IDP

    Solution GuideIntegrating PingFederate with Citrix NetScaler as SAML IDP

    Validation

    The configuration can be tested using the Quick Start App, which is available at https://docs.pingidentity.com/bundle/pa_sm_OverviewandQuickstart_pa41/page/pa_t_Download_and_Install_QS.html

    https://docs.pingidentity.com/bundle/pa_sm_OverviewandQuickstart_pa41/page/pa_t_Download_and_Install_QS.htmlhttps://docs.pingidentity.com/bundle/pa_sm_OverviewandQuickstart_pa41/page/pa_t_Download_and_Install_QS.html

  • 10Citrix.com | Solution Guide | Integrating PingFederate with Citrix NetScaler as SAML IDP

    Solution GuideIntegrating PingFederate with Citrix NetScaler as SAML IDP

    Part 2: Configure the NetScaler Appliance

    The following configuration is required on the NetScaler appliance for it to be supported as a SAML identity provider for PingFederate: LDAP authentication policy and server for domain authentication SSL certificate with external and internal DNS configured for the FQDN presented by the certificate (Wild-

    card certificates are supported.) SAML IDP policy and profile UG virtual server

    This guide covers the configuration described above. The SSL certificate and DNS configurations should be in place prior to setup.

    Configuring LDAP domain authentication

    For domain users to be able to log on to the NetScaler appliance by using their corporate email addresses, you must configure an LDAP authentication server and policy on the appliance and bind it to your UG VIP address. (Use of an existing LDAP configuration is also supported)

    1. In the NetScaler configuration utility, in the navigation pane, select NetScaler Gateway > Policies > Authentication > LDAP.

    2. To create a new LDAP policy: On the Policies tab click Add, and then enter GTM_LDAP_SSO_Policy as thename. In the Server field, click the + icon to add a new server. The Authentication LDAP Server windowappears. In the Name field, enter PingFederate_LDAP_SSO_Server. Select the bullet for Server IP. Enter the IP address of one of your Active Directory domain control-

    lers. (You can also point to a virtual server IP for the purpose of redundancy if you are load balancingdomain controllers)

    Specify the port that the NetScaler will use to communicate with the domain controller. Use 389 forLDAP or 636 for Secure LDAP (LDAPS).

    3. Under Connection Settings, enter the base domain name for the domain in which the user accounts residewithin the Active Directory (AD) for which you want to allow authentication. The example below usescn=Users,dc=ctxns,dc=net.

    4. In the Administrator Bind DN field, add a domain account (using an email address for ease of configuration)that has rights to browse the AD tree. A service account is advisable, so that there will be no issues withlogins if the account that is configured has a password expiration.

    5. Check the box for Bind DN Password and enter the password twice.

  • 11Citrix.com | Solution Guide | Integrating PingFederate with Citrix NetScaler as SAML IDP

    Solution GuideIntegrating PingFederate with Citrix NetScaler as SAML IDP

    6. Under Other Settings: Enter samaccountname as the Server Logon Name Attribute.7. In the SSO Name Attribute field, enter UserP