To configure AAA virtual server, refer to Citrix Documentation – Configuring the Authentication Virtual Server.
AD FS 3.0 Installation Document: – AD FS 3.0 Installation Document
The following table describes the parameters used to create an SAML action.
add authentication SAMLAction <name> -samlIdPCertName <certname> -samlRedirectUrl <IDP URL> -samlUsernameField –samlSigningCert <certname> -samlIssuerName <issuer_name> -samlRejectUnsignedAssertion <TRUE/FALSE>
|
Parameter |
Description |
|
certname |
It is the public key corresponding to the private key at the Identity Provider (IdP). It is required for decrypting or verifying the SAML assertion. This can come in the assertion as keyInfo, but is not currently used. Add this information to the NetScaler appliance using the add certkey command. |
|
Redirect url |
It is the url of the authentication end point (IdP). Unauthenticated users are redirected to this URL. |
|
Username field |
It can be used to extract the username if the IdP sends the username in other than <NameIdentifier> tag of <Subject> tag. In most scenarios, this need not be configured. Depending on the use cases, this can be removed. |
|
signingCertname |
It is the certificate key of AAA/Gateway virtual server that is used to sign the authentication request to the IdP. If signingCertName is not configured, then assertion is either sent unsigned or authentication is rejected as per the samlRejectUnsignedAssertion parameter. |
|
samlIssuerName |
It is the string to be used in sending the authentication request. Every IdP expects a unique name in the issuer field to signify the authority which sent this assertion. A few IdPs ignore this but a few rely on this field to search the metadata corresponding to this Service Provider. |
|
samlRejectUnsignedAssertion |
It is a knob to accept or reject unsigned assertions from the IdP. This parameter gives flexibility to the administrator or user to verify the connectivity or basic functioning of the Service Provider and IdP. This knob is also used when sending the authentication request out. If signingCert is not configured and if this knob is false, the unsigned authentication request is sent. Otherwise, the SAML authentications are rejected and fall back to forms-based authentication. |
Errors and Debugging
Places to look for information:
NetScaler
Live tracing:
nsconmsg -d current -g saml
cat /tmp/aaad.debug
tail -f /var/log/ns.log
Historical:
nsconmsg -d stats -g saml
cat /var/log/ns.log
Windows
ADFS 3.0 error log:
w3.woodsnetworks.com/index.php/2013/02/adfs-2-0-error-after-successful-login/
Issuername / identifier mismatch:
ID4037: The key needed to verify the signature could not be resolved from the following security key identifier ‘SecurityKeyIdentifier
Incorrect IDP certificate configured on NetScaler
Browser error:
SAML Assertion verification failed; Please contact your administrator
/var/log/ns.log error:
Feb 12 15:07:07 <local0.err> 192.168.1.65 02/12/2015:14:07:07 GMT ns 0-PPE-0 : AAATM Message 1438 0 : “Error while trying to verify the signature”
Feb 12 15:07:07 <local0.err> 192.168.1.65 02/12/2015:14:07:07 GMT ns 0-PPE-0 : AAATM Message 1439 0 : “Verification of SAML assertion resulted in failure 917511”