How to Configure NetScaler SAML to Work with Microsoft Active Directory Federation Services 3.0 IDP

To configure AAA virtual server, refer to Citrix Documentation – Configuring the Authentication Virtual Server.

AD FS 3.0 Installation Document: – AD FS 3.0 Installation Document

The following table describes the parameters used to create an SAML action.

add authentication SAMLAction <name> -samlIdPCertName <certname> -samlRedirectUrl <IDP URL> -samlUsernameField –samlSigningCert <certname> -samlIssuerName <issuer_name> -samlRejectUnsignedAssertion <TRUE/FALSE>




It is the public key corresponding to the private key at the Identity Provider (IdP). It is required for decrypting or verifying the SAML assertion. This can come in the assertion as keyInfo, but is not currently used. Add this information to the NetScaler appliance using the add certkey command.

Redirect url

It is the url of the authentication end point (IdP). Unauthenticated users are redirected to this URL.

Username field

It can be used to extract the username if the IdP sends the username in other than <NameIdentifier> tag of <Subject> tag. In most scenarios, this need not be configured. Depending on the use cases, this can be removed.


It is the certificate key of AAA/Gateway virtual server that is used to sign the authentication request to the IdP. If signingCertName is not configured, then assertion is either sent unsigned or authentication is rejected as per the samlRejectUnsignedAssertion parameter.


It is the string to be used in sending the authentication request. Every IdP expects a unique name in the issuer field to signify the authority which sent this assertion. A few IdPs ignore this but a few rely on this field to search the metadata corresponding to this Service Provider.


It is a knob to accept or reject unsigned assertions from the IdP. This parameter gives flexibility to the administrator or user to verify the connectivity or basic functioning of the Service Provider and IdP. This knob is also used when sending the authentication request out. If signingCert is not configured and if this knob is false, the unsigned authentication request is sent. Otherwise, the SAML authentications are rejected and fall back to forms-based authentication.

Errors and Debugging

Places to look for information:


Live tracing:

nsconmsg -d current -g saml

cat /tmp/aaad.debug

tail -f /var/log/ns.log


nsconmsg -d stats -g saml

cat /var/log/ns.log


ADFS 3.0 error log:

Issuername / identifier mismatch:

ID4037: The key needed to verify the signature could not be resolved from the following security key identifier ‘SecurityKeyIdentifier

Incorrect IDP certificate configured on NetScaler

Browser error:

SAML Assertion verification failed; Please contact your administrator

/var/log/ns.log error:

Feb 12 15:07:07 <local0.err> 02/12/2015:14:07:07 GMT ns 0-PPE-0 : AAATM Message 1438 0 : “Error while trying to verify the signature”

Feb 12 15:07:07 <local0.err> 02/12/2015:14:07:07 GMT ns 0-PPE-0 : AAATM Message 1439 0 : “Verification of SAML assertion resulted in failure 917511”


  • No Related Posts

Leave a Reply