Using NetScaler as OpenID Connect SP with ADFS as IDP

Posted in : ADFS, NetScaler By Simon Gottschlag Translate with Google ⟶

6 years ago

How do you configure Citrix NetScaler OpenID Connect Service Provider with Microsoft ADFS as OpenID Connect Identity Provider? I’ve tried making it easy to understand and how you do it using CLI (NetScaler CLI and powershell).
Read this post for doing this with SAML.

Before we begin, let us look at what we need to establish the federation:

• NetScaler (with at least Enterprise license)
• Active Directory domain and ADFS (read this post if you want to load balance and use NetScaler as ADFS Proxy)
• Website (lb vserver) we want to protect with AAA (will be referred to as the service provider)
• AAA vserver to bind OpenID Connect (OAuth) Service Provider policy

In my case, the following FQDNs are used:

• LB vserver: webapp-test.domain.com / LB-WEBAPP-TEST
• AAA vserver: sp.domain.com / AAA-SP-DOMAIN.COM (note: it will actually not be access by the web browser)
• ADFS: adfs.domain.com

Compared to SAML, we need to create the IDP policy on ADFS before configuring NetScaler:

$SPName = "Webapp-test"
$SPIdentifier = "https://webapp-test.domain.com"
$SPRedirectUri = "https://webapp-test.domain.com/oauth/login"
$SPClientID = "<random uuid>"
$SPScopeName = "openid"
$SPIssuanceTransform = '@RuleTemplate = "LdapClaims"
@RuleName = "AD Claims"
c:[Type ==
"http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname",
Issuer == "AD AUTHORITY"]
 => issue(store = "Active Directory", types =
("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"), query =
";userPrincipalName;{0}", param = c.Value);'
New-AdfsApplicationGroup -ApplicationGroupIdentifier $SPName -Name $SPName
Add-AdfsWebApiApplication -Name "$($SPName) - Web API" -Identifier $SPIdentifier -AccessControlPolicyName "Permit everyone" -ApplicationGroupIdentifier $SPName -IssuanceTransformRules $SPIssuanceTransform
Grant-AdfsApplicationPermission -AllowAllRegisteredClients -ServerRoleIdentifier $SPIdentifier -ScopeNames $SPScopeName
$ADFSApp = Add-AdfsServerApplication -Name "$($SPName) - Native application" -ApplicationGroupIdentifier $SPName -RedirectUri $SPRedirectUri -Identifier $SPClientID -GenerateClientSecret
Write-Output "`r`nPlease write down and save the following Client Secret: $($ADFSApp.ClientSecret)`r`n"

Note: Generate the random UUID for the client secret using any way you want, It doesn’t have to be a UUID but is common. This site can be used.
Now we need to create the OIDC Service Provider action and profile, as well as bind it to the AAA vserver:

add authentication OAuthAction OIDC-SP-WEBAPP-TEST.DOMAIN.COM -authorizationEndpoint "https://adfs.domain.com/adfs/oauth2/authorize?response_type=code&scope=openid&client_id=<Client ID>" -tokenEndpoint "https://adfs.domain.com/adfs/oauth2/token" -clientID <Client ID> -clientSecret <Client Secret> -CertEndpoint "https://adfs.domain.com/adfs/discovery/keys" -audience <Client ID> -userNameField upn -issuer "https://adfs.domain.com/adfs"
add authentication Policy OIDC-SP-POL-WEBAPP-TEST.DOMAIN.COM -rule "HTTP.REQ.HOSTNAME.EQ(\"webapp-test.domain.com\")" -action OIDC-SP-WEBAPP-TEST.DOMAIN.COM
bind authentication vserver AAA-SP-DOMAIN.COM -policy OIDC-SP-POL-WEBAPP-TEST.DOMAIN.COM -priority 100 -gotoPriorityExpression NEXT

(Note: As I stated before, this policy is bound to the AAA vserver but the expression is matching the hostname of the LB vserver – since the web browser actually never is redirected to the AAA vserver in this scenario)
As a last step, create (if it isn’t already) an authentication profile and bind it to the LB vserver:

add authentication authnProfile authprofile-sp.domain.com -authnVsName AAA-SP-DOMAIN.COM -AuthenticationHost sp.domain.com
add lb vserver LB-WEBAPP-TEST HTTP 0.0.0.0 0 -persistenceType NONE -cltTimeout 180 -Authentication ON -authnProfile authprofile-sp.domain.com

Remember that the NetScaler does query the IDP for the keys periodically as well as sending the code to the token endpoint to receive the access_token, refresh_token and id_token (which it uses to extract the UPN). Just the same as with SAML, the browser will never hit the AAA vServer. See below for a screenshot of a capture where the NetScaler (SNIP) sends a request to ADFS (behind the scenes):

For troubleshooting, remember to enable Enhanced Authentication Feedback and to look at both ns.log and the ADFS servers eventviewer for information:

set aaa parameter -enableEnhancedAuthFeedback YES

Tags : AAA, ADFS, NetScaler, OAuth, OIDC, OpenID Connect