Preface

This document describes the configurations required for SAML2.0 integration between the Octopus Authenticator and Citrix NetScaler.


Environment

The integration environment that was used in this document is based on the following software versions:

Octopus Authentication Server – Version 2.7 SP1

Citrix NetScaler Gateway – Version 12.0


Prerequisites

The communication between the 3rd party Identity Provider and t
















he Service Provider in the SAML protocol is signed with a certificate. Since the certificate should be unique to the organization, the certificate has to be downloaded from service that will be created in the Octopus authentication server.


Note: When the authentication for Citrix NetScaler is forwarded to Citrix XenApp/XenDesktop, the Citrix StoreFront must be set to “Pass-through from NetScaler Gateway” and the Citrix Federated Authentication Service (FAS) must be installed.


Create a SAML Service in Octopus Authentication Server


A service for Citrix NetScaler Gateway has to be created in Octopus Authentication Server. The service data will be later used in the Citrix NetScaler Gateway configuration.

Perform the following steps to add Citrix NetScaler Gateway as a Service Provider in Octopus Authentication Server:

Log in to Octopus Authenticator management console.

Select Services from the left pane.

In the right pane, select the ADD SERVICE tab.

Click Generic SAML template.


In the GENERAL INFO tab, complete the following fields:


Field name
Field value
Service name
Enter a display name to identify the Service Provider (e.g., NetScalar)

Issuer
Enter the issuer of the service (e.g., NetScaler)

Description
 Enter a description for the service.

Enabled
Toggle as enabled

Display icon
Click on the icon and upload an icon for the service that will be displayed on the login page



In the right pane, select the SIGN ON tab.

The message for the mobile device can be customized in the Customize message field.

Under X.509 certificate, click DOWNLOAD to download the certificate.

Click SAVE SETTINGS.


Configure Citrix NetScalar Gateway


To work with Citrix NetScaler as a Service Provider and Octopus Authentication Server as the 3rd party IdP, Citrix NetScaler has to be set as a Service Provider and the Octopus Authentication Server has to be set as an Identity Provider in Citrix NetScaler.

To Add Octopus Authentication Server as an Identity Provider in Citrix NetScaler:

Update Octopus Authentication SAML certificate in Citrix NetScaler

Configure 3rd party SAML Authentication Server

Create SAML Authentication Policy

Assign SAML Policy to NetScaler Virtual Server

Update Octopus Authentication SAML certificate in Citrix NetScaler

Log in to the Citrix NetScaler administrator console.

Select the Configuration tab and perform the following steps:

In the left pane, select Traffic Management > SSL > Certificates > CA Certificates.

In the right pane, under CA Certificates, click Install.

On the Install CA Certificate window, perform the following steps:

In the Certificate-Key Pair Name field, enter a name for the certificate.

Under Certificate File Name, select local from the Choose File dropdown list.

Search and open the certificate that was previously downloaded from the Octopus Authentication Server.

Click Install.

Configure 3rd party SAML Authentication Server

On the Citrix NetScaler administrator console, under the Configuration tab, perform the following steps:

In the left pane, select NetScaler Gateway > Policies > Authentication > SAML.

In the right pane, select the Servers tab.

Click Add.


On the Create Authentication SAML Server window, complete the following fields:


Field name
Field value
Name
Enter a name for the server (e.g., Octopus IDP)

IDP Certificate Name
Select the IDP certificate that was previously installed.

Redirect URL
 Enter the identity provider login URL (can be found in the Octopus Authentication Server management console, on the previously created service, the SAML2.0 Endpoint (HTTP) value under the SIGN ON tab,).

Issuer Name
Enter the NetScaler virtual server URL (e.g., https://netscaler.octopusdemos.com)


Click Create.

Create SAML Authentication Policy

On the Citrix NetScaler administrator console, under the Configuration tab, perform the following steps:

In the left pane, select NetScaler Gateway > Policies > Authentication > SAML.


In the right pane, under SAML, select the Policies tab.

Click Add.

On the Create Authentication SAML Policy window, complete the following fields:


Field name
Field value
Name
Enter a name for the Authentication Policy (e.g., Octopus SAML)
Server
Select the SAML server that was previously created.
Expression
 Enter the required logical expression (e.g., ns_true)


Click Create.

Click OK on the warning that is displayed.

Assign SAML Policy to NetScaler Virtual Server

On the Citrix NetScaler administrator console, under the Configuration tab, perform the following steps:

In the left pane, select NetScaler Gateway > Virtual Servers.

In the right pane, under NetScaler Gateway Virtual Servers, click on the virtual server to be assigned to the SAML policy.

On the VPN Virtual Server window, under Basic Authentication, click +.

On the Choose Type window, complete the following fields:


Field name
Field value
Choose Policy
Select SAML
Choose Type
Select Primary


Click Continue.

Under the Select Policy field select the authentication policy that was previously created.

Click Select.

Click Bind.

Click Done.

To save the running configuration, on the Citrix NetScaler Administrator console, click the save icon ( ) in the top right corner.


Set Citrix NetScaler in Octopus Authentication Server


Octopus Authentication Server needs to be configured with Citrix NetScaler as a SAML service so it can receive SAML authentication requests from Citrix NetScaler.

To add Citrix NetScaler as a Service Provider in Octopus Authentication Server:

Edit Citrix NetScaler Gateway Service in Octopus Authentication Server

Assign Users to Citrix NetScaler Gateway Service

Edit Citrix NetScaler Service in Octopus Authentication Server

Perform the following steps to add Citrix NetScaler as a Service Provider in Octopus Authentication Server:

Open the Octopus Authentication management console.

Select Services from the left pane.

Click on the more options icon of the service that was previously created and select Edit service.


In the right pane, select the PARAMETERS tab.

Complete the following fields:


Field name
Field value
Login
Login method for Octopus Authentication Server
Name ID
Citrix NetScaler login parameter
Method
POST
ACS URL
https://<NetScaler Virtual Server FQDN>/cgi/samlauth
Audience
Enter the issuer value


Click SAVE SETTINGS.

Assign Users to Citrix NetScaler Service

After configuring the service, users should be assigned to the service to use it for authentication.

Select Services the left pane.


Click on the more options icon on the service that was previously created and select Edit service.

In the right pane, select the USERS tab.

Select and enable users either from “Local Users” or “LDAP Users” lists.
The selection can be either of:

A group of users, by clicking on the dot next to one of the folders

An individual user, by clicking on the dot next to that user

Click SAVE SETTINGS.


Running the Solution


Load the Citrix NetScalar Gateway login page. The page will be redirected to the Double Octopus Authentication page.

Enter the username and click Login.

A notification will appear on the Octopus Mobile App asking for authentication approval. A challenge number will appear on the web page. Verify the challenge number and approve the authentication accordingly.

After successful authentication, the user will be logged on to Citrix NetScaler Gateway. When Citrix StoreFront is configured, the user will be redirected to Citrix StoreFront page.