Preface
This document describes the configurations required for SAML2.0 integration between the Octopus Authenticator and Citrix NetScaler.
Environment
The integration environment that was used in this document is based on the following software versions:
Octopus Authentication Server – Version 2.7 SP1
Citrix NetScaler Gateway – Version 12.0
Prerequisites
The communication between the 3rd party Identity Provider and t
he Service Provider in the SAML protocol is signed with a certificate. Since the certificate should be unique to the organization, the certificate has to be downloaded from service that will be created in the Octopus authentication server.
| Note: When the authentication for Citrix NetScaler is forwarded to Citrix XenApp/XenDesktop, the Citrix StoreFront must be set to “Pass-through from NetScaler Gateway” and the Citrix Federated Authentication Service (FAS) must be installed. |
Create a SAML Service in Octopus Authentication Server
A service for Citrix NetScaler Gateway has to be created in Octopus Authentication Server. The service data will be later used in the Citrix NetScaler Gateway configuration.
Perform the following steps to add Citrix NetScaler Gateway as a Service Provider in Octopus Authentication Server:
Log in to Octopus Authenticator management console.
Select Services from the left pane.
In the right pane, select the ADD SERVICE tab.
Click Generic SAML template.
In the GENERAL INFO tab, complete the following fields:
| Field name | Field value | |
| Service name | Enter a display name to identify the Service Provider (e.g., NetScalar) | |
| Issuer | Enter the issuer of the service (e.g., NetScaler) | |
| Description | Enter a description for the service. | |
| Enabled | Toggle as enabled | |
| Display icon | Click on the icon and upload an icon for the service that will be displayed on the login page | |
In the right pane, select the SIGN ON tab.
The message for the mobile device can be customized in the Customize message field.
Under X.509 certificate, click DOWNLOAD to download the certificate.
Click SAVE SETTINGS.
Configure Citrix NetScalar Gateway
To work with Citrix NetScaler as a Service Provider and Octopus Authentication Server as the 3rd party IdP, Citrix NetScaler has to be set as a Service Provider and the Octopus Authentication Server has to be set as an Identity Provider in Citrix NetScaler.
To Add Octopus Authentication Server as an Identity Provider in Citrix NetScaler:
Update Octopus Authentication SAML certificate in Citrix NetScaler
Configure 3rd party SAML Authentication Server
Create SAML Authentication Policy
Assign SAML Policy to NetScaler Virtual Server
Update Octopus Authentication SAML certificate in Citrix NetScaler
Log in to the Citrix NetScaler administrator console.
Select the Configuration tab and perform the following steps:
In the left pane, select Traffic Management > SSL > Certificates > CA Certificates.
In the right pane, under CA Certificates, click Install.
On the Install CA Certificate window, perform the following steps:
In the Certificate-Key Pair Name field, enter a name for the certificate.
Under Certificate File Name, select local from the Choose File dropdown list.
Search and open the certificate that was previously downloaded from the Octopus Authentication Server.
Click Install.
Configure 3rd party SAML Authentication Server
On the Citrix NetScaler administrator console, under the Configuration tab, perform the following steps:
In the left pane, select NetScaler Gateway > Policies > Authentication > SAML.
In the right pane, select the Servers tab.
Click Add.
On the Create Authentication SAML Server window, complete the following fields:
| Field name | Field value | |
| Name | Enter a name for the server (e.g., Octopus IDP) | |
| IDP Certificate Name | Select the IDP certificate that was previously installed. | |
| Redirect URL | Enter the identity provider login URL (can be found in the Octopus Authentication Server management console, on the previously created service, the SAML2.0 Endpoint (HTTP) value under the SIGN ON tab,). | |
| Issuer Name | Enter the NetScaler virtual server URL (e.g., https://netscaler.octopusdemos.com) | |
Click Create.
Create SAML Authentication Policy
On the Citrix NetScaler administrator console, under the Configuration tab, perform the following steps:
In the left pane, select NetScaler Gateway > Policies > Authentication > SAML.
In the right pane, under SAML, select the Policies tab.
Click Add.
On the Create Authentication SAML Policy window, complete the following fields:
| Field name | Field value |
| Name | Enter a name for the Authentication Policy (e.g., Octopus SAML) |
| Server | Select the SAML server that was previously created. |
| Expression | Enter the required logical expression (e.g., ns_true) |
Click Create.
Click OK on the warning that is displayed.
Assign SAML Policy to NetScaler Virtual Server
On the Citrix NetScaler administrator console, under the Configuration tab, perform the following steps:
In the left pane, select NetScaler Gateway > Virtual Servers.
In the right pane, under NetScaler Gateway Virtual Servers, click on the virtual server to be assigned to the SAML policy.
On the VPN Virtual Server window, under Basic Authentication, click +.
On the Choose Type window, complete the following fields:
| Field name | Field value |
| Choose Policy | Select SAML |
| Choose Type | Select Primary |
Click Continue.
Under the Select Policy field select the authentication policy that was previously created.
Click Select.
Click Bind.
Click Done.
To save the running configuration, on the Citrix NetScaler Administrator console, click the save icon ( ) in the top right corner.
Set Citrix NetScaler in Octopus Authentication Server
Octopus Authentication Server needs to be configured with Citrix NetScaler as a SAML service so it can receive SAML authentication requests from Citrix NetScaler.
To add Citrix NetScaler as a Service Provider in Octopus Authentication Server:
Edit Citrix NetScaler Gateway Service in Octopus Authentication Server
Assign Users to Citrix NetScaler Gateway Service
Edit Citrix NetScaler Service in Octopus Authentication Server
Perform the following steps to add Citrix NetScaler as a Service Provider in Octopus Authentication Server:
Open the Octopus Authentication management console.
Select Services from the left pane.
Click on the more options icon of the service that was previously created and select Edit service.
In the right pane, select the PARAMETERS tab.
Complete the following fields:
| Field name | Field value |
| Login | Login method for Octopus Authentication Server |
| Name ID | Citrix NetScaler login parameter |
| Method | POST |
| ACS URL | https://<NetScaler Virtual Server FQDN>/cgi/samlauth |
| Audience | Enter the issuer value |
Click SAVE SETTINGS.
Assign Users to Citrix NetScaler Service
After configuring the service, users should be assigned to the service to use it for authentication.
Select Services the left pane.
Click on the more options icon on the service that was previously created and select Edit service.
In the right pane, select the USERS tab.
Select and enable users either from “Local Users” or “LDAP Users” lists.
The selection can be either of:
A group of users, by clicking on the dot next to one of the folders
An individual user, by clicking on the dot next to that user
Click SAVE SETTINGS.
Running the Solution
Load the Citrix NetScalar Gateway login page. The page will be redirected to the Double Octopus Authentication page.
Enter the username and click Login.
A notification will appear on the Octopus Mobile App asking for authentication approval. A challenge number will appear on the web page. Verify the challenge number and approve the authentication accordingly.
After successful authentication, the user will be logged on to Citrix NetScaler Gateway. When Citrix StoreFront is configured, the user will be redirected to Citrix StoreFront page.