This post has already been read 19043 times!
Previous Articles in this series
Part 3 of this blog series will walk you through setting up your NetScaler Gateway authentication policies to hand off authentication to ADFS as well as setting up the NetScaler as an ADFS Proxy and binding this to your Externally Facing Content Switch.
SAML Authentication Policies
You will need to create a SAML Authentication Policy to bind to your NetScaler Gateway in order to hand off authentication to your ADFS Service.
Head to Security – AAA – Application Traffic – Policies – Authentication – Basic Policies – SAML
Select the Servers tab and click to Add your new SAML Server
Set up your SAML Server as shown below
- The IDP Certificate Name and Signing Certificate name are being used as we replaces the Token Signing and Token Decrypting Certificate when setting up ADFS in Part 1 of this series
- The Redirect and Logout URL use the EXTERNAL FQDN for my ADFS Service with /adfs/ls/ tagged onto the end of the URL
- Issuer Name: This needs to be listed as a relying party in ADFS – if this is not listed SAML will not work and the authentication process will fail.
ADFS Signing Certificates
Click the MORE option before closing the SAML Server and check that the Signature Algorithm and Digest Method are set to SHA-256
Once you have the SAML Server defined create your SAML Policy with the expression ns_true and select your SAML Server you just created
Finally open up your Non-Addressable NetScaler Gateway VPN vServer that sits behind your Unified Gateway Content Switch, remove the LDAPS Authentication Policy you have bound there and bind the SAML Policy you have just created
So we now want the NetScaler to act as a proxy server for all inbound ADFS traffic. Once again the Citrix Community came though on this any my friend Eric from XenApp Blog had already written a great post on configuring the NetScaler as an ADFS Proxy including a monitor that works!
Once you have followed Eric’s post you should end up with a working ADFS vServer on your NetScaler
This vServer should have 2 Rewrite policies bound to it as per the post
You should also have a Content Switching policy created to redirect all inbound traffic using your external ADFS url (sts.bretty.me.uk) or any external url with the pattern /adfs in the url to your internal ADFS vServer
At this point you have the following in place:
- Internal ADFS Service
- Relying Party to handle the handover from NetScaler Gateway
- ADFS Proxy Configured and working
- External FQDN for ADFS
- Internal FQDN for ADFS
- NetScaler Gateway SAML Policy Bound to Gateway
- Citrix FAS Implemented and working
Testing External Access
You can get to your ADFS Service now using the external URL for your ADFS Service (in my case sts.bretty.local)
If you go to your external FQDN for your Unified Gateway (in my case ug.bretty.me.uk) it will redirect you to your ADFS Proxy. You should be able to sign into this using your UPN and ADFS will pass you back to the Unified Gateway as an authenticated user
From here you can access your Apps and Desktops and Launch assigned resources
If you want to check the Citrix FAS is working as expected you can open up the Certificate Authority and check the issued certificates
Testing Internal Access
Ensure that you have set up an internal namespace in DNS to point your NetScaler Unified Gateway dns name to the internal IP Address of your Content Switch
Once you have that in place you should be able to goto the fqdn for your NetScaler Unified Gateway internally. This will in turn hand you off to ADFS internally, authenticate you and pass you back to the Unified Gateway and display your apps and desktops
When Connecting your ADFS Service will more than likely prompt you with this
Just authenticate here with your domain credentials
We will sort this out later in the series when dealing with context aware authentication
ADFS will then hand you back to your unified gateway and you can get access to all your apps and desktops
That’s it for now – you can log into your NetScaler Unified Gateway using ADFS and SAML. Next we will look at integrating Microsoft Azure MFA into the mix then configuring Context Aware MFA