Netscaler saml configuration Integration Configuration RSA Cloud Authentication Service Citrix NetScaler - SAML My Page SSO Configuration - RSA Ready Implementation Sep 26, 2019 · Hello Experts, Need you help to understand, We have requirement that Internal users are using Thin Client, Once user login to thin client, users redirected to Storefront page and from there user launch applications. 0 authentication for full single sign-on. If a user already holds a session with the Identity Provider (IDP), they’ll only need to enter their password on the Citrix Gateway page. 1, and describes how to set up NetScaler to work with SafeNet Authentication Service using SAML authentication. Add a NetScaler Gateway instance on StoreFront For instructions on how to add a NetScaler Gateway instance on StoreFront, see Configure NetScaler Gateways. Copy the displayed client secret locally. Oct 17, 2025 · Note: NetScaler Gateway does not support Kerberos Constrained Delegation (KCD) for SSO to RDP servers. You can use the Quick Configuration wizard to configure LDAP, RADIUS, and client certificate authentication. 9 and StoreFront 3. . Zscaler cloud name Configuring Microsoft Entra ID as the IdP for the Zscaler Service Zscaler recommends using Security Assertion Markup Language (SAML) single sign-on (SSO) for user authentication and System for Cross-domain Identity Management (SCIM) for user provisioning. Single/Stateless (Dual) Gateway solution for all needs (VPN/ICA/RDP/Citrix Endpoint Sep 27, 2025 · NetScaler Gateway consolidates remote access infrastructure to provide single sign-on across all applications whether in a data center, in a cloud, or delivered as SaaS. Sep 27, 2025 · OAuth on a NetScaler appliance is qualified for all SAML IdPs that are compliant with “OpenID connect 2. 0, and NetScaler 11. Sep 27, 2025 · This topic provides the detailed steps to configure Kerberos authentication on the NetScaler appliance by using the CLI and the GUI. 0, Citrix ADC 12. Jan 8, 2024 · The SAML Idp Settings section allows you to configure your NetScaler Instance as a SAML identity provider by creating the SAML IdP profile and policy that is used by the NetScaler AAA virtual server created in step 3. Duo supports inline user enrollment, self-service device management, and support for a variety of authentication methods — such as passkeys and security keys, Duo Push, or Verified Duo Push — in the Universal Prompt. These are needed for the RSA Cloud Authentication Service configuration. Configuring Kerberos authentication on the CLI Enable the authentication, authorization, and auditing feature to ensure the authentication of traffic on the appliance. Enable Load Balancing, SSL Offload, Content Switching, Rewrite, and authentication, authorization, and auditing traffic management features on NetScaler appliance. Jan 14, 2025 · System Configuration – NetScaler 14. Sep 27, 2025 · The following section describes the use case of LDAP or certificate authentication based on SAML attribute extraction in nFactor authentication. In the Create Authentication Policy dialog box, in Name, type a name for the policy. Configure EPA scan to run after authentication You can configure the EPA scan to run after the authentication. Aug 15, 2025 · Add two-factor authentication and flexible security policies to NetScaler SAML 2. Jun 30, 2025 · This guide explains how to configure Authentik as a SAML Identity Provider (IdP) for Citrix NetScaler as the SAML Service Provider (SP). The Federated Authentication Service article describes how to install and configure the FAS. Navigate to Security > AAA-Application Traffic > Policies > Traffic > SAML SSO Profiles and click Add. NetScaler Gateway is easy to deploy and simple to administer. It integrates very well with Microsoft enterprise applications and Active Directory, and also with many other applications using popular protocols such as SAML. Configure Allowable SAML Bindings. Aug 23, 2022 · Under SAML Signing Certificate, download the Certificate (Base 64) for the Service Provider (NetScaler / Citrix ADC) Now click on Add user/group to assign a user or group to grant access to the application Sep 27, 2025 · You cannot use the NetScaler Gateway wizard to configure SAML authentication. The post also details importing the signing Feb 13, 2018 · How do you configure Citrix NetScaler SAML Service Provider with Microsoft ADFS as SAML Identity Provider? I’ve tried making it easy to understand and how you do it using CLI (NetScaler CLI and powershell). Of course, the SAML authentication would also work with an ADFS environment. Apr 22, 2020 · Guide to SAML authentication at Citrix Gateway without FAS, by using Citrix ADC as an IDP. In the Netscaler web interface, access the virtual server settings by clicking on Citrix Gateway → Virtual Servers, then click on the previously created virtual server: Perform these steps to configure Citrix NetScaler. Only a non-addressable authentication, authorization, and auditing virtual server can be bound to a Gateway/VPN virtual server in NetScaler Standard license. If the last password is LDAP, then no additional configuration is needed. Jun 13, 2017 · The following post describes how to configure SAML authentication with NetScaler as the IdP (Identity Provider) and Microsoft Office 365 as the SP (Service Provider). Click "SAML", and then in the details pane, on the Policies tab, click Add . Sep 30, 2025 · When you configure the metadata URL, the SAML IdP sends the binding type options for SSO and Logout to NetScaler. Sep 27, 2025 · How nFactor works When a user connects to the authentication, authorization, and auditing or NetScaler Gateway virtual server, the sequence of events that occur are as follows: If forms-based authentication is used, the login schema bound to the authentication, authorization, and auditing virtual server is displayed. onpremisessamaccountname” In the NetScaler SAML Profile I set this: Apr 27, 2020 · Both SAML SP and LDAP authentication are used in this approach. Authentication to NetScaler Unified Gateway via ADFS & Azure MFA is successful. Cloud services inherit the benefits built into cloud infrastructure including resiliency, scalability, and global reach. 0 logins with Duo Single Sign-On. The IdP could be ADFS, Okta, Ping, etc. This solution provides SSO to Citrix Apps and Desktops. See full list on carlstalhood. You can use the SAML 2. Sep 8, 2023 · Under SAML Signing Certificate (Item 3), download the Certificate (Base 64) for the Service Provider (NetScaler) Note ! The NetScaler can also be configured via Metadata URL, in the Enterprise Application this is called App Federation Metadata Url. Sep 6, 2025 · This article describes how you can configure SAML for workspace authentication using Azure Active Directory identities instead of AD identities. Mar 25, 2025 · Learn how to configure single sign-on (SSO) between Microsoft Entra ID and Citrix ADC by using header-based authentication. So I set up my test environment accordingly. Links: For two-factor authentication using Azure Multi-factor Authentication, see Jason Samuel How to deploy Microsoft Azure MFA & AD Connect with Citrix NetScaler Gateway Citrix CTX125364 How to Configure Dual Authentication on NetScaler Gateway Enterprise Edition for Use with iPhone and iPad. Jul 12, 2024 · If you are presented with this error, this means that the NetScaler is not able to identify the SAML request that it is sent. Edit one. Mar 14, 2017 · Modern Authentication for NetScaler Building the Solution Adding an App to Azure AD Configuring NetScaler for SAML Authentication Callback URL Citrix Receiver Access Control Single Sign-On Conditional Access Non-compliant Devices Conclusion Every so often a few of your favourite technologies intersect to create something magical and your passion for IT is renewed. Is it possible to configure Netscaler so that SAML Authencitcation works with Citrix Receiver? Or is that not supported by Citrix. Sep 27, 2025 · The SAML Service Provider is a SAML entity deployed by the service provider. You can integrate Citrix Gateway with Okta using RADIUS or SAML 2. You can use industry-standard authentication servers and configure NetScaler Gateway to authenticate users with the servers. Use Microsoft Entra ID (formerly known as Azure Active Directory) as a SAML IdP and Google Admin as the service provider (SP). 1 or later, create a SAML action. The most typical deployment configuration is to locate the NetScaler Gateway appliance in Sep 27, 2025 · You can configure two types of multifactor authentication in NetScaler Gateway: Cascading authentication that sets the authentication priority level Two-factor authentication that requires users to log on by using two types of authentication If you have multiple authentication servers, you can set the priority of your authentication polices. Sep 27, 2025 · NetScaler with Unified Gateway enables simplified secure access to any application through a single URL for desktop and mobile users. Sep 27, 2025 · Virtual IP for Content Switching virtual server. We were going to try the radius route with SWA but can't due to some requirements in AD and with our project team. Mar 29, 2021 · Use the same RADIUS Secret for both appliances. It allows people to access any app, from any device, through a single URL. Customization of LoginSchema is not allowed in the NetScaler Standard license. Sep 7, 2025 · Configure the new SAML IdP server using information taken from the ADFS management console earlier. Create a AAA virtual server by using To set up an authentication virtual server by using the GUI. Nov 22, 2018 · Everything work fine with these configurations. Background Solution Configuration Create the Second Factor (Policy Label) Create the First Factor (AAA vServer) Setup NetScaler… Dec 11, 2017 · I needed to use a Citrix ADC (NetScaler) both, as a SAML identity provider (IDP) and service provider (SP). The application configuration on the Azure portal is now Sep 27, 2025 · The group names obtained from the LDAP server are compared with the group names created locally on NetScaler Gateway. Advanced authentication policies bound to the authentication, authorization Oct 5, 2015 · SAML is a type of authentication mechanism you can use to allow for single sign-on (SSO) between Active Directory user accounts and Citrix ShareFile. Configure NetScaler appliance as ADFS proxy To achieve this use case, configure NetScaler as an ADFS proxy in a DMZ zone. Sep 27, 2025 · You can create an authentication profile by using the NetScaler Gateway wizard or the configuration utility. Citrix ADC SAML Configuration SAML Server/Action Instructions for Citrix ADC 13. 1 and newer support SAML Metadata while older versions of NetScaler do not support SAML Metadata. Citrix ADC 12. Configure the SAML Authentication Server settings and click Create. 0 for Citrix Gateway (formerly NetScaler Gateway) This setup might fail without parameter values that are customized for your organization. You can use the following NetScaler features with third party applications and servers that are compatible with the SAML 2. STAs on NetScaler Citrix Gateway matches StoreFront configuration. 6 and XenDesktop 7. Navigate to Security > AAA - Application Traffic > Policies > Authentication > Advanced Policies > SAML IDP, and create a policy with SAML IdP as the action type, and associate the required SAML IdP profile with the policy. In the following example, the EPA scan is used as a final check in a nFactor or multifactor authentication. NetScaler’s SAML integration capabilities allow NetScaler to act as a SAML IDP (Identity Provider), enabling Oracle Fusion Middleware users to log on to their enterprise Oracle applications through NetScaler, removing the need to log on with PingFederate and avoiding having to configure an additional authentication source. In the main body of the SAML configuration page, select Servers, then click Add: A Create Authentication SAML Server form opens. However, during certain configurations—especially in nFactor authentication workflows—you might encounter a lesser-known requirement: Microsoft Entra ID does not expect the Subject ID field in the SAML request. Jun 16, 2019 · In my guide, I’m assuming SAML authentication between Azure-AD and the Citrix ADC (formerly NetScaler) Version > 12. Sep 27, 2025 · NetScaler Console supports using SAML as an identity provider to authenticate administrators and subscribers signing in to their NetScaler Console. Feb 28, 2024 · NetScaler Citrix Gateway communication to StoreFront is https protocol, not http. Procedure Log on to the Citrix NetScaler Gateway web administration console. Sep 7, 2025 · Admin must configure the following to enable SSO to NetScaler Gateway virtual server using PRT: Microsoft Entra ID must be configured as the SAML IdP. Once the Microsoft Entra ID side configuration is completed, add users and user groups that are permitted to access the application. I the EntraID Enterprise Application change this: Change to “user. That happened for me this Under the Citrix Netscaler application under sign on options I create a MFA sign on policy with a priority that requires MFA Under signon options under SAML 2. Jun 13, 2019 · Note- I NEVER recommend deploying changes to an ADC (NetScaler) without testing. Do not just simply deploy without thought thinking because you read it online it will just work in your situation. By default, NetScaler selects Redirect as the binding type for Logout and Post as the binding type for SSO. Using SAML, you can configure StoreFront to redirect users to an external identity provider for authentication. Here Jul 12, 2024 · Configuring SAML Authentication from StoreFront to NetScalerThis article is to step through configuring SAML Authentication between StoreFront as the Service Provider (SP) and NetScaler as the Identity Provider (IdP) Sep 6, 2025 · The Citrix Cloud SAML connection requires a PingFederate Logout URL to be configured to match this if you wish to perform SLO when signing out of Workspace or Citrix Cloud. Sep 27, 2025 · Note: From NetScaler Gateway, navigate to NetScaler Gateway > Virtual Servers. C Nov 5, 2018 · SAML Authentication not available in XenApp and XenDesktop wizard When you are configuring the Gateway service with the XenApp an XenDesktop wizard you won’t have the SAML authentication available. NetScaler Gateway must be configured as the SAML SP. Sep 27, 2025 · The following section describes the use case of two-factor authentication with one login schema and one passthrough schema. Mar 25, 2025 · Learn how to configure single sign-on (SSO) between Microsoft Entra ID and Citrix ADC SAML Connector for Microsoft Entra ID by using Kerberos-based authentication. Our cloud-hosted SSO identity provider offers inline user enrollment, self-service device management, and support for a variety of authentication methods — such as passkeys and security keys, Duo Push, or Verified Duo Push — in the Universal Prompt. Going above just using SAML, a mixture of Azure Multi-Factor Authentication, User Certificates, LDAP and Negotiate authentication policies are used for authentication from external and internal locations. On the SAML Authentication Policy page, type ns_true in the Expression field and click Create. How to Configure SAML 2. This usually occurs when the SAML binding on the SP and IdP profiles do not match. Sep 27, 2025 · In the configuration utility, on the Configuration tab, in the navigation pane, expand NetScaler Gateway \ > Policies and then click Traffic. On the right is Authentication Profile. Oct 8, 2025 · The certificate is used as samlidPCertName while configuring NetScaler as SAML SP. Failing to configure the Logout URL within your SAML connection will cause end users to just sign out of Workspace but not PingFederate. Oct 17, 2023 · To configure nFactor in NetScaler Standard Edition, go to Citrix Gateway > Virtual Servers and edit a Virtual Server. com Jul 12, 2024 · Signature and Encryption Options - To send signed SAML Authentication requests to NetScaler IdP, select the check box as shown in the following screen shot and specify the alias for the Key that is used to Sign the Auth request. Example Adding NetScaler as an IdP with SiteMinder as the SP. Sep 7, 2025 · SAML is an open standard used by identity and authentication products. PKCE (Proof Key for Code Exchange) support Support for client_assertion Name-value attribute support for OAuth authentication You can now configure OAuth authentication attributes with a unique name along with the values. com. Sep 6, 2025 · This article describes the required steps for configuring an Okta SAML application and the connection between Citrix Cloud™ and your SAML provider. In the details pane, click the SAML SSO Profile tab. Sep 27, 2025 · To configure a NetScaler appliance as a SAML IdP by using the GUI Configure the SAML IdP profile and policy. Since I personally had only problems with it, I recommend the manual method described here. Sep 27, 2025 · Click Done. Introduction Use of the Cloud to deliver Enterprise services continues to grow. About this article This article describes the required steps for configuring a connection between Citrix Cloud and Sep 27, 2025 · Otherwise, authentication is completed. example. Icon aggregation: Configure StoreFront to aggregate icons from the two farms. Review the information in the AAA Virtual Servers pane to verify that your configuration is correct and your authentication virtual server is accepting traffic. When this policy is applied, NetScaler redirects the user to ADFS for logon, and accepts an ADFS-signed SAML authentication token in return. The SAML SP Sep 27, 2025 · To provide single sign-on capabilities across applications that are hosted on the service provider, you can configure SAML single sign-on on the SAML SP. Apr 17, 2025 · Configure NetScaler ADC as a SAML SP using the advanced policy by using Configure NetScaler ADC as SAML service provider (SP). This approach is notdocumented in Okta’s Citrix NetScaler Gateway SAML Configuration Guidewhich still acknowledges in its June 10th, 2019 iteration at least, that Citrix FAS is still needed for a full SSO experience using the setup they describe in that guide. 6, it is possible to use SAML authentication with a number of external identity providers and integrate that with the Citrix Federated Authentication Service so that users can be authenticated from NetScaler through to StoreFront. In the past the Receiver client did not have the capability to pop up a web view and embrace […] Sep 27, 2025 · NetScaler appliance now supports metadata files as means of configuration entities for both SAML Service Provider and Identity Provider . Oct 29, 2025 · Note For steps to configure nFactor for the NetScaler Standard License, see the section Create a virtual server. For Citrix Receiver or Workspace connections, Duo Security offers passcodes, phone, and push authentication. For example, a NetScaler bases load balancing decisions on individual HTTP requests instead of on long-lived TCP connections, so that the failure or slowdown of a server is managed Sep 27, 2025 · The NetScaler appliance can be configured to extract user’s group based on the email ID or the AD user name provided by the user in the first factor logon form. Click Add and fill the information as provided in the preceding page. It is only possible to add/change the authentication to SAML within the NetScaler Gateway – Virtual Server part of the GUI. Oct 16, 2025 · To configure LDAP authentication on NetScaler for management purposes by using the CLI Use the following commands as a reference to configure logon for a group with superuser privileges on NetScaler CLI. Sep 27, 2025 · To configure SAML single sign-on you need to define the SAML SSO profile, the traffic profile, and the traffic policy and bind the traffic policy to a traffic management virtual server or globally to the NetScaler appliance. Click to edit the NetScaler Gateway Virtual Sep 7, 2025 · Related information: To configure NetScaler Gateway, see How to Configure NetScaler Gateway 10. In Issuer Name, enter the FQDN of the load balancing or NetScaler Gateway virtual IP address to which the appliance sends the initial authentication (GET) request. To configure SAML SSO and SCIM provisioning with Microsoft Entra ID: 1. 0 provider of your choice with your on-premises Active Directory (AD). Jan 9, 2025 · If you use SmartAccess or SAML and need the Callback URL, then you’ll need a special StoreFront configuration to handle the Callback URL from multiple Gateway appliances. Single Sign-on to StoreFront: NetScaler Gateway uses the last password collected by nFactor to Single Sign-on with StoreFront. Throughout my experience with NetScaler, I’ve been deeply involved in countless projects revolving around Sep 8, 2023 · I found a way to send the SamAccountName from EntraID to the NetScaler in the SAML response by configuring the following. Sep 27, 2025 · NetScaler is an application delivery controller that performs application-specific traffic analysis to intelligently distribute, optimize, and secure Layer 4-Layer 7 (L4–L7) network traffic for web applications. If a NetScaler Gateway virtual server is configured with the SSO feature for published applications and one of the applications published in XenApp is a link to a web application that is load balanced on a NetScaler appliance, then NetScaler Gateway virtual server Nov 12, 2024 · Configuring SAML Authentication on NetScaler SAML authentication requires establishing a trust relationship between IdP and SP by exchanging certificates and digitally signing assertions. Apr 9, 2018 · Netscaler – Configure Your Access Gateway To Allow Logon with AD Credentials Using “sAMAccountName” and “userPrincipalName” at Same Time by Peter Smali | Apr 9, 2018 | Netscaler, Storefront | 0 comments There is an article from Citrix explaining how to do this, but it is missing an important configuration step to make it work fully. 0 specification: SAML Service Provider (SP) SAML Identity Provider (IdP) SP and IdP allow a SingleSignOn (SSO) between cloud services. Nov 10, 2016 · Here are the screenshots of a basic configuration example – this is for the NetScaler as SP and Okta as IdP, using an SP-initiated flow (remember, configure the IdP first) – first, create a basic SAML application in Okta. Open the NetScaler Administration GUI and browse to Traffic Management > SSL > Certificates > All Configure Citrix Netscaler gateway Configure Citrix Netscaler to use the Okta RADIUS Server agent. Click to edit the NetScaler Gateway Virtual Integrating Citrix ADC (formerly NetScaler) with Microsoft Entra ID (formerly Azure AD) using SAML authentication is a powerful way to deliver secure access to applications. 6. Sep 27, 2025 · Note The client secret is displayed only once when it is generated. Sep 27, 2025 · The SAML Issuer Name is the fully qualified domain name (FQDN) to which users log on, such as lb. A NetScaler appliance configured as a SAML service provider can now enforce an audience restriction check. If you have this working another way let me know. 5 to use with StoreFront 3. Step By Step ADC 13 Deployment Because most of you are deploying Citrix ADX in a virtual machine (VPX), Carl's guide centers around that. To follow this guide This guide provides instructions for configuring Citrix Netscaler Gateway with Okta using SAML for secure and seamless user authentication. Jul 19, 2001 · This section describes how to configure NetScaler Gateway for SecureAuth Identity Platform SAML and OWA on Exchange Server 2013 or 2016 form-based authentication. Configuration for AAA Saml IdentityProvider (IdP) profile resource. Sep 7, 2025 · Verify the NetScaler deployment Connect to NetScaler and check that authentication and launch are successful with the username and password. Thank you for any tips. ShareFile presently supports 3 methods to authenticate your Active Directory accounts with ShareFile and SAML is the easiest of the 3 to configure if you have a NetScaler. Navigate to NetScaler Gateway > Policies > Authentication SAML. Use the same client secret along with the client ID associated with the newly registered app while configuring the OAuth action on the NetScaler Gateway appliance for Intune. Enter a name for the SAML Authentication Policy and click Add next to the Server drop-down menu. Add one. References For more details on StoreFront and NetScaler Gateway integration, refer to the following topics: Add NetScaler Gateway Designing StoreFront and NetScaler Gateway Sep 27, 2025 · Configure the NetScaler appliance using metadata files as means of configuration entities for SAML Service Provider and Identity Provider. Sep 27, 2025 · After you configure AD FS settings, download the AD FS signing certificate and then create a certificate key on NetScaler Gateway. Sep 5, 2025 · Duo integrates with your on-premises NetScaler (formerly Citrix Gateway) to add two-factor authentication to remote access logins with inline self-service enrollment and Duo Prompt when logging on to the NetScaler Gateway using a web browser. 1 – Citrix ADC 13 Last Modified: Jan 14, 2025 @ 11:31 am Apr 19, 2024 · Before delving into the specifics, let’s address the elephant in the room: users leveraging this method will encounter a second password prompt. Now there is requirement to setup MFA with Storefront only (without NetScaler). 1, NetScaler 12. Jul 12, 2024 · This article describes how to configure SAML SSO authentication between NetScaler Gateway and load balancing virtual server. Enable NetScaler SAML authentication support Using SAML with StoreFront is similar to using SAMl with other web sites. Read through the relevant topics to understand the configurations that must be performed on the NetScaler appliance. In this example I'll share with you how I did combine them in a customer deployment to create a quite unique login experience. Note ! Procedure: Download the SAML signing certificate from the VeridiumID administration console (Settings -> SAML Configuration -> Download IDP Signing Certificate) and save to a suitable place like the NetScaler desktop where you can access it. This document provides guidance for deploying the SAML authentication option in Citrix NetScaler Gateway 10. In this post, I will show you how you can use ADFS as an Identity Provider, passing authentication to StoreFront Mar 29, 2025 · Migrate NetScaler config to new appliances System Configuration: – new appliance setup, VPX, licensing, networking, firmware, high availability, management authentication, TCP settings, DNS, SNMP, Syslog, backup/restore, etc. Sep 27, 2025 · SAML SSO allows you to configure one NetScaler appliance or virtual appliance instance to authenticate to another NetScaler appliance on behalf of users who have authenticated with the first appliance. May 6, 2017 · Both SAML as well as nFactor are two NetScaler features that are highly underrated in my opinion. Dec 12, 2024 · SAML into the Netscaler, then non pass through auth (user is prompted for local AD domain credentials) to authenticate to storefront and xenapp. Enter a name for the SAML Authentication Policy, and then click Add next to the Server drop-down list. Sep 6, 2025 · This article describes the required steps for configuring a Duo SAML application and SAML connection between Citrix Cloud™ and your SAML provider. The post also details importing the signing Sep 27, 2025 · The NetScaler appliance can be deployed as a SAML Service Provider (SP) and a SAML Identity Provider (IdP). When a user tries to access a protected application, the SP evaluates the client request. Take note of the Name and IP Address of the NetScaler Virtual Server. 0 I take a copy of the SAML Identity provider metadata URL as we will use this for dynamic configuration on the Netscaler later Feb 4, 2024 · Using NetScaler to get a Primary Refresh Token (PRT) when using Microsoft Entra ID via SAML or OAuth as Identity Provider (IdP) with Phone Sign-In. Log on to the Citrix NetScaler Gateway web administration console. Configure NetScaler as a SAML IdP by using the CLI Create a SAML IdP profile. But I could also see that Citrix Receiver SAML Authentication is only supported directly by Storefront without Netscaler. The profile contains all of the settings for the authentication policy. May 13, 2017 · Since XenApp and XenDesktop 7. Behind this single URL, administrators have a single point for configuration, security, and control of remote access to applications. com or ng. 1 are essentially the same. Browse to Configuration > NetScaler Gateway > Policies > Authentication > SAML and click Add. Based on the group a user belongs to, NetScaler presents an authentication method (LDAP, SAML, OAuth, and so on) as shown is the following table as an example. Add an Authentication Virtual Server and then complete the nFactor config. If the two group names match, the properties of the local group apply to the group obtained from the LDAP servers. A keytab May 28, 2024 · The following operations can be performed on “authentication-samlAction”:. A NetScaler appliance can be configured to behave as a Service Provider (SP) or an Identity Provider (IdP), using SAML and OIDC. Done! Configuration steps for Netscaler versions 11 and older Login to the Citrix NetScaler admin interface as an administrator. 5. Apr 2, 2019 · Several months ago I posted on Twitter how you can use on-premises or cloud IaaS hosted Citrix Gateway/NetScaler Gateway, Workspace app/Receiver, and Okta as your identity provider (IdP) with SAML 2. Using the Okta RADIUS Agent allows for authentication (including multifactor authentication (MFA) support) to occur at the Citrix Gateway login page. It covers setting up LDAP synchronization in Authentik, handling differing sAMAccountName attributes across domains, creating custom property mappings, and configuring Authentik’s SAML provider and application. On the right, add the Authentication Profile section. To create SAML action, navigate to Security > AAA - Application Traffic > Policies > Authentication > Advanced Policies > Actions > SAML Actions. When the user logs on with their Azure AD account to the AAA page he has to log on again to Storefront, using his regular windows credentials. Nov 6, 2023 · Go to Citrix Gateway > Virtual Servers. Sep 6, 2025 · Note: After installing the CA certificate while configuring NetScaler Gateway versions 11. The names Sep 12, 2025 · Duo integrates with your on-premises NetScaler (formerly Citrix Gateway) to add two-factor authentication to NetScaler Gateway logins via advanced authentication policies. Jan 8, 2024 · Provides user authentication for storage zone controllers Validates URI signatures for ShareFile uploads and downloads Terminates SSL connections at the NetScaler appliance For information about using the wizard, see Configure NetScaler for storage zones controller in the storage zones controller documentation. Customer has a Netscaler setup with Azure AD SAML and AAA authentication server. 6 days ago · OAuth feature now supports the following capabilities in the token API from the Relying Party (RP) side and from the IdP side of NetScaler Gateway and NetScaler. After authentication to the IdP, the NetScaler (SP) presents the above. Sep 2, 2025 · For details on how to configure an LDAP action to retrieve the required attributes, see Name-value attribute support for LDAP authentication. Best regards Sedric Click DONE. ns-cli-prompt> enable ns feature AAA Add the keytab file to the NetScaler appliance. Apr 16, 2021 · If RADIUS authentication fails, NetScaler Gateway login fails, and the user is prompted to try two-factor authentication again. Sep 27, 2025 · This feature requires SAML knowledge, fundamental authentication proficiency, and FIPS understanding to use this information. Sep 8, 2023 · I found a way to send the SamAccountName from EntraID to the NetScaler in the SAML response by configuring the following. Citrix Secure Access client must be configured in Always On or Always On service mode. This section of the guide includes links to the appropriate sections for configuring both sides for each use case. Enter the Sep 27, 2025 · SaaS apps configuration with single sign-on on NetScaler Gateway is simplified by provisioning a template drop-down menu for popular SaaS apps. Make sure you can log off NetScaler properly, and you are taken to the correct sign-out URL as defined on your relying party trust configuration and SAML authentication policy. ADFS SAML deployment A cloud-hosted solution for NetScaler Console that offers centralized visibility, automation, and analytics for managing NetScaler deployments across both on-premises and cloud environments. Oct 30, 2024 · All RSA and Citrix NetScaler components must be installed and working prior to the integration. Azure Active Directory (AAD) is the Microsoft Azure hosted directory service and provides those Nov 7, 2025 · Configuring NetScaler single sign-on (SSO) to authenticate by impersonation is simpler than configuring than SSO to authenticate by delegation, and is therefore preferable when your configuration allows it. 0”. Jun 11, 2025 · This guide explains how to configure Authentik as a SAML Identity Provider (IdP) for Citrix NetScaler as the SAML Service Provider (SP). Assume a use case where, admins configures two-factor authentication with one login schema and one passthrough schema. 0. Creates an action for a Security Assertion Markup Language server. Navigate to Configuration > NetScaler Gateway > Virtual Servers. Netscaler Configuration Creating a new Authentication SAML Policy In the configuration utility, on the Configuration tab, expand Netscaler Gateway > Policies > Authentication. NetScaler Citrix Gateway communication to StoreFront is load balanced to multiple StoreFront servers – not a single StoreFront server. SAML into the Netscaler, then non pass through auth (user is prompted for local AD domain credentials) to authenticate to storefront and xenapp. Sep 6, 2025 · Citrix Cloud supports using SAML (Security Assertion Markup Language) as an identity provider to authenticate Citrix Cloud administrators and subscribers signing in to their workspaces. Jul 31, 2018 · Accept the prompt by tapping APPROVE. Add a new SAML policy, with an expression of NS_TRUE. Enforcement (SmartAccess) feature, where the NetScaler administrators can disable certain RDP capabilities through the NetScaler Gateway configuration. Mar 30, 2023 · Configuration of NetScaler OAuth SP with Azure AD as IdP with enabled login_hint Claim for auto-filling the Username / User Principal Name. Properties (click to see Operations ) Microsoft Azure Active Directory (Azure AD) is a cloud based identity management platform that presents a large, growing set of capabilities for identity management. In this setup, if the EPA scan fails during any such check, the session is terminated Sep 27, 2025 · NetScaler Gateway employs a flexible authentication design that permits extensive customization of user authentication for NetScaler Gateway. Dec 31, 2024 · You can configure Security Assertion Markup Language (SAML) single sign-on (SSO) for ChromeOS devices. Jul 12, 2024 · This article describes how to configure SAML in First factor followed by group extraction and based on groups extracted, next factor is either LDAP or Certificate Authentication. You can then configure SAML authentication on NetScaler Gateway by using the certificate and key.