Citrix NetScaler introduce to their Application Delivery Controller (ADC), which is a line of products which are known as the Citrix Access Gateway (CAG). It is majorly used to secure remote access. Citrix Gateway is a customer-managed solution that can be used on any public cloud and on premises for example Google Cloud Platform, AWS, Azure etc. It server secure access along with single sign-on to all the virtual, SaaS and web applications they need to be productive.
miniOrange provides secure access to Citrix Netscaler Gateway for enterprises and full control over access of Citrix Netscaler Gateway application. Single Sign On (SSO) into your Citrix Netscaler Gateway Account with one set of login credentials.
miniOrange supports both IdP (Identity Provider) and SP (Service Provider) initiated Single Sign On (SSO)
Follow the Step-by-Step Guide given below for Citrix Netscaler Gateway Single Sign On (SSO).
Step 1: Configure Single Sign On (SSO) Settings for Citrix Netscaler Gateway
- Log in as a customer from the Admin Console.
- Go to Apps >> Manage Apps. Click on Configure Apps button.
- Click on SAML tab. Select Citrix netscaler and click on Add App button.
- Enter the SP Entity ID as https://nssp2.example.com
- Enter the value of ACS URL as https://nssp2.example.com/cgi/samlauth .
Here, enter your Share File account URL followed by /cgi/samlauth.
- Select the Email ID from the Name ID dropdown.
- Go to the Add Policy and select DEFAULT from the Group Name dropdown
- Now enter the Citrix netscaler gateway in the "Policy Name field.
- Select PASSWORD from the First Factor Type dropdown.
- Click on Save to configure Citrix netscaler gateway.
- Click on Metadata link to download the metadata which will be required later. Click on Link to see the IDP initiated SSO link for Citrix Netscaler Gateway.
- Click on Download Metadata link to download the certificate which will be required later.
Step 2: Configure Citrix Netscaler Gateway setting for miniOrange
- Login the Citrix NetScaler admin interface with admin rights
- Click on Configuration tab, select Traffic Management >> SSL >> Certificates.
- Note: If case if you are using Netscaler 11.1 then select Traffic Management >> SSL >> CACertificates >>Install.
- Enter identify name as Certificate-Key Pair Name.
- Click on the down arrow which is next to the Browse button to select local.
- Select the x.509 certificate which is downloaded in step 1.
- Click on Install.
- On Configuration page, select NetScaler Gateway >> Policies >> Authentication >> SAML >> Servers tab, then click on Add.
- In the Create Authentication SAML Server form, Enter Name IDP as certificate Name.
- Enter the value from Redirect URL as https://nssp2.example.com/cgi/samlauth
- Enter the value from Single Logout URL as https://nssp2.example.com/cgi/tmlogout
- Enter User Field ( Note: It should be Name ID untill another identifier is being used)
- Enter the certificate for your Gateway VIP as Signing Certificate Name.
- Enter your Gateway VIP URL as Issuer Name.
- In the Signature Algorithm section, select RSA-SHA256 as Signature Algorithm, SHA256 as Digest Method and POST as SAML Binding.
- Click on OK .
- Go back in the SAML section, select the Policies then click on Add.
- Now, add details, Enter Name as per your requirement.
- Click down menu and select your created Server Entry.
- Enter ns_true as the value of Expression.
- Click on OK.
- On the left side, select Virtual Servers below NetScaler Gateway section.
- Locate the virtual server to bind miniOrange SAML, Click on Edit.
- Under Authentication section and unlash any existing policies, after that close the Authentication sub-window.
- Go back in Virtual Server configuration screen, under the Authentication section, select plus (+) icon.
- Select SAML as Choose Policy and Primary as Choose Type then Click on Continue.
- Under the Policy Binding section, click on SAML policy which you created earlier.
- Click on the radial button which is in left and click on OK.
- Set the Priority as 100 and click on Bind.
- Go back to Virtual Server configuration screen and click on Done.
Step 3 : Configure on StoreFront
- First click on Manage NetScaler Gateway >> Add to add a new Gateway.
- Refer below screenshot to Configure General Settings
- Add Secure Ticket Authority details:
- Add Authentication Settings >> OK.
- Now, click on Manage Authentication Methods and Pass-through option selected and click on the Settings button in the Pass-through option to enable Delegated Authentication as below:
- Click on Configure Remote Access Settings and add NetScaler Gateway appliance as done in above step.
- Note : It is important to enable Delegated Authentication as mentioned in above steps, else we will get an error saying “Cannot Complete your Request” on trying to do SSO to StoreFront after authentication at NetScaler is successful.
For the callback url configured at step “4” to work, we need to open port 443 from StoreFront to NetScaler.
The callback url is required for the SAML to work, the NetScaler Gateway Certificate must be trusted at StoreFront.
Step 4: Onboard users into our system
- Click on Users >> Add User.
- Here, fill the user details without the password and then click on the Create User button.
- Click on On Boarding Status tab. Check the email, with the registered e-mail id and select action Send Activation Mail with Password Reset Link from Select Action dropdown list and then click on Apply button.
- Now, Open your email id. Open the mail you get from miniOrange and then click on the link to set your account password.
- On the next screen, enter the password and confirm password and then click on the Reset Password button.
- Now, you can log in into miniOrange account by entering your credentials.
Step 5: Login to miniOrange Account
- Go to miniOrange dashboard and select User Dashboard from right side menu.
- Click on Citrix netscaler gateway application which you added, to verify your sso configuration.
For further details refer :
miniOrange Single Sign On SSO
Citrix Netscaler Gateway
Citrix netscaler gateway product
Configure NetScaler Gateway Session Policies for StoreFront