NETSCALER GATEWAY AND MICROSOFT AZURE MULTI-FACTOR AYTHENTICATION - PART 4: TECH BRIEF
Configure an initial authentication flow
Pattern Set - Gateway and AAA Hostname
add policy patset PATSET_GATEWAY_HOSTHEADER bind policy patset PATSET_GATEWAY_HOSTHEADER access.ctxdemos.com -index 1 -charset ASCII bind policy patset PATSET_GATEWAY_HOSTHEADER aaa.ctxdemos.com -index 2 -charset ASCII
Policy Expression - Gateway and AAA Hostname
add policy expression is_GATEWAY_HOSTNAME "HTTP.REQ.HEADER(\"Host\").TO_LOWER.CONTAINS_ANY(\"PATSET_GATEWAY_HOSTHEADER\")"
Create Initialization Load Balancing vServer
add lb vserver LBVS_SAML_SP_INITIALIZATION SSL 0.0.0.0 0 -persistenceType NONE -cltTimeout 180 -Authentication ON -authnProfile AAA_AUTH_PRF set ssl vserver LBVS_SAML_SP_INITIALIZATION -ssl3 DISABLED -tls1 DISABLED -tls11 DISABLED -tls13 ENABLED -ocspStapling ENABLED -HSTS ENABLED -maxage 157680000 -IncludeSubdomains YES bind lb vserver LBVS_SAML_SP_INITIALIZATION LBSVC_ALWAYS_UP bind ssl vserver LBVS_SAML_SP_INITIALIZATION -certkeyName CTXDEMOS_PUBLIC_CERT bind ssl vserver LBVS_SAML_SP_INITIALIZATION -cipherName CTXDEMOS_FRONTEND_APLUS
Create Initialization Content Switching Policy and Action
add cs action CSACT_SAML_SP_INITIALIZATION -targetLBVserver LBVS_SAML_SP_INITIALIZATION add cs policy CSPOL_SAML_SP_INITIALIZATION -rule "is_GATEWAY_HOSTNAME && HTTP.REQ.URL.PATH.TO_LOWER.STARTSWITH(\"/samltolb\")" -action CSACT_SAML_SP_INITIALIZATION
Bind Content Switching Policies to NetScaler Gateway Content Switching vServer
bind cs vserver CSVS_UGCTXDEMOS -policyName CSPOL_SAML_SP_INITIALIZATION -priority 500
Create Initialization NetScaler ADC AAA Traffic Policy and Action and Bind it to Load Balancing vServer
add tm samlSSOProfile AAATM_SAMLSSOPRF_VPN_TO_LB -samlSigningCertName CTXDEMOS_PUBLIC_CERT -assertionConsumerServiceURL "https://access.ctxdemos.com/cgi/samlauth" -relaystateRule "HTTP.REQ.URL.QUERY.VALUE(\"RelayState\")" -signatureAlg RSA-SHA256 -digestMethod SHA256 -Attribute1 Password -Attribute1Expr AAA.USER.PASSWD -Attribute2 Groups -Attribute2Expr AAA.USER.GROUPS -encryptAssertion ON -samlSPCertName CTXDEMOS_PUBLIC_CERT add tm trafficAction AAATM_PRF_VPN_TO_LB -SSO ON -persistentCookie OFF -InitiateLogout OFF -kcdAccount NONE -samlSSOProfile AAATM_SAMLSSOPRF_VPN_TO_LB add tm trafficPolicy AAATM_POL_VPN_TO_LB "HTTP.REQ.URL.STARTSWITH(\"/samltolb\")" AAATM_PRF_VPN_TO_LB bind lb vserver LBVS_SAML_SP_INITIALIZATION -policyName AAATM_POL_VPN_TO_LB -priority 100 -gotoPriorityExpression END -type REQUEST
Cipher groupsCreate Cipher Group for Backend vServers
add ssl cipher CTXDEMOS_BACKEND bind ssl cipher CTXDEMOS_BACKEND -cipherName TLS1.3-AES256-GCM-SHA384 -cipherPriority 1 bind ssl cipher CTXDEMOS_BACKEND -cipherName TLS1.3-CHACHA20-POLY1305-SHA256 -cipherPriority 2 bind ssl cipher CTXDEMOS_BACKEND -cipherName TLS1.3-AES128-GCM-SHA256 -cipherPriority 3 bind ssl cipher CTXDEMOS_BACKEND -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384 -cipherPriority 4 bind ssl cipher CTXDEMOS_BACKEND -cipherName TLS1.2-ECDHE-RSA-AES128-GCM-SHA256 -cipherPriority 5 bind ssl cipher CTXDEMOS_BACKEND -cipherName TLS1.2-ECDHE-ECDSA-AES256-GCM-SHA384 -cipherPriority 6 bind ssl cipher CTXDEMOS_BACKEND -cipherName TLS1.2-ECDHE-ECDSA-AES128-GCM-SHA256 -cipherPriority 7
Create Cipher Group for Frondend vServers
add ssl cipher CTXDEMOS_FRONTEND bind ssl cipher CTXDEMOS_FRONTEND -cipherName TLS1.3-AES256-GCM-SHA384 -cipherPriority 1 bind ssl cipher CTXDEMOS_FRONTEND -cipherName TLS1.3-CHACHA20-POLY1305-SHA256 -cipherPriority 2 bind ssl cipher CTXDEMOS_FRONTEND -cipherName TLS1.3-AES128-GCM-SHA256 -cipherPriority 3 bind ssl cipher CTXDEMOS_FRONTEND -cipherName TLS1.2-ECDHE-ECDSA-AES128-GCM-SHA256 -cipherPriority 4 bind ssl cipher CTXDEMOS_FRONTEND -cipherName TLS1.2-ECDHE-ECDSA-AES256-GCM-SHA384 -cipherPriority 5 bind ssl cipher CTXDEMOS_FRONTEND -cipherName TLS1.2-ECDHE-ECDSA-AES128-SHA256 -cipherPriority 6 bind ssl cipher CTXDEMOS_FRONTEND -cipherName TLS1.2-ECDHE-ECDSA-AES256-SHA384 -cipherPriority 7 bind ssl cipher CTXDEMOS_FRONTEND -cipherName TLS1-ECDHE-ECDSA-AES128-SHA -cipherPriority 8 bind ssl cipher CTXDEMOS_FRONTEND -cipherName TLS1-ECDHE-ECDSA-AES256-SHA -cipherPriority 9 bind ssl cipher CTXDEMOS_FRONTEND -cipherName TLS1.2-ECDHE-RSA-AES128-GCM-SHA256 -cipherPriority 10 bind ssl cipher CTXDEMOS_FRONTEND -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384 -cipherPriority 11 bind ssl cipher CTXDEMOS_FRONTEND -cipherName TLS1.2-ECDHE-RSA-AES-128-SHA256 -cipherPriority 12 bind ssl cipher CTXDEMOS_FRONTEND -cipherName TLS1.2-ECDHE-RSA-AES-256-SHA384 -cipherPriority 13 bind ssl cipher CTXDEMOS_FRONTEND -cipherName TLS1-ECDHE-RSA-AES128-SHA -cipherPriority 15 bind ssl cipher CTXDEMOS_FRONTEND -cipherName TLS1-ECDHE-RSA-AES256-SHA -cipherPriority 16 bind ssl cipher CTXDEMOS_FRONTEND -cipherName TLS1.2-DHE-RSA-AES128-GCM-SHA256 -cipherPriority 17 bind ssl cipher CTXDEMOS_FRONTEND -cipherName TLS1.2-DHE-RSA-AES256-GCM-SHA384 -cipherPriority 18 bind ssl cipher CTXDEMOS_FRONTEND -cipherName TLS1-DHE-RSA-AES-128-CBC-SHA -cipherPriority 19 bind ssl cipher CTXDEMOS_FRONTEND -cipherName TLS1-DHE-RSA-AES-256-CBC-SHA -cipherPriority 20
Create Cipher Group for Frondend vServers - A+
add ssl cipher CTXDEMOS_FRONTEND_APLUS bind ssl cipher CTXDEMOS_FRONTEND_APLUS -cipherName TLS1.3-AES256-GCM-SHA384 -cipherPriority 1 bind ssl cipher CTXDEMOS_FRONTEND_APLUS -cipherName TLS1.3-CHACHA20-POLY1305-SHA256 -cipherPriority 2 bind ssl cipher CTXDEMOS_FRONTEND_APLUS -cipherName TLS1.3-AES128-GCM-SHA256 -cipherPriority 3 bind ssl cipher CTXDEMOS_FRONTEND_APLUS -cipherName TLS1.2-ECDHE-ECDSA-AES256-GCM-SHA384 -cipherPriority 4 bind ssl cipher CTXDEMOS_FRONTEND_APLUS -cipherName TLS1.2-ECDHE-ECDSA-AES128-GCM-SHA256 -cipherPriority 5 bind ssl cipher CTXDEMOS_FRONTEND_APLUS -cipherName TLS1.2-ECDHE-ECDSA-CHACHA20-POLY1305 -cipherPriority 6 bind ssl cipher CTXDEMOS_FRONTEND_APLUS -cipherName TLS1.2-ECDHE-ECDSA-AES256-SHA384 -cipherPriority 7 bind ssl cipher CTXDEMOS_FRONTEND_APLUS -cipherName TLS1.2-ECDHE-ECDSA-AES128-SHA256 -cipherPriority 8 bind ssl cipher CTXDEMOS_FRONTEND_APLUS -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384 -cipherPriority 9 bind ssl cipher CTXDEMOS_FRONTEND_APLUS -cipherName TLS1.2-ECDHE-RSA-AES128-GCM-SHA256 -cipherPriority 13 bind ssl cipher CTXDEMOS_FRONTEND_APLUS -cipherName TLS1.2-ECDHE-RSA-CHACHA20-POLY1305 -cipherPriority 14 bind ssl cipher CTXDEMOS_FRONTEND_APLUS -cipherName TLS1.2-ECDHE-RSA-AES-256-SHA384 -cipherPriority 15 bind ssl cipher CTXDEMOS_FRONTEND_APLUS -cipherName TLS1.2-ECDHE-RSA-AES-128-SHA256 -cipherPriority 16
Login schema XML file
CTXDEMOS_USER_NAME_PASS.XML
<?xml version="1.0" encoding="utf-8"?> <AuthenticateResponse xmlns="http://citrix.com/authentication/response/1"> <Status>success</Status> <Result>more-info</Result> <StateContext/> <AuthenticationRequirements> <PostBack>/nf/auth/doAuthentication.do</PostBack> <CancelPostBack>/Citrix/Authentication/ExplicitForms/CancelAuthenticate</CancelPostBack> <CancelButtonText>Cancel</CancelButtonText> <Requirements> <Requirement> <Credential> <ID>login</ID> <SaveID>ExplicitForms-Username</SaveID> <Type>username</Type> </Credential> <Label> <Text>User name</Text> <Type>plain</Type> </Label> <Input> <AssistiveText>Please supply username</AssistiveText> <Text> <Secret>false</Secret> <ReadOnly>false</ReadOnly> <InitialValue>${AAA.USER.NAME}</InitialValue> <Constraint>.+</Constraint> </Text> </Input> </Requirement> <Requirement> <Credential> <ID>passwd</ID> <SaveID>ExplicitForms-Password</SaveID> <Type>password</Type> </Credential> <Label> <Text>Password:</Text> <Type>plain</Type> </Label> <Input> <Text> <Secret>true</Secret> <ReadOnly>false</ReadOnly> <InitialValue/> <Constraint>.+</Constraint> </Text> </Input> </Requirement> <Requirement> <Credential> <ID>saveCredentials</ID> <Type>savecredentials</Type> </Credential> <Label> <Text>Remember my password</Text> <Type>plain</Type> </Label> <Input> <CheckBox> <InitialValue>false</InitialValue> </CheckBox> </Input> </Requirement> <Requirement> <Credential> <ID>loginBtn</ID> <Type>none</Type> </Credential> <Label> <Type>none</Type> </Label> <Input> <Button>Log On</Button> </Input> </Requirement> </Requirements> </AuthenticationRequirements> </AuthenticateResponse>
CTXDEMOS_USER_NAME_ONLY.XML
CTXDEMOS_USER_NAME_ONLY.XML <?xml version="1.0" encoding="utf-8"?> <AuthenticateResponse xmlns="http://citrix.com/authentication/response/1"> <Status>success</Status> <Result>more-info</Result> <StateContext/> <AuthenticationRequirements> <PostBack>/nf/auth/doAuthentication.do</PostBack> <CancelPostBack>/Citrix/Authentication/ExplicitForms/CancelAuthenticate</CancelPostBack> <CancelButtonText>Cancel</CancelButtonText> <Requirements> <Requirement> <Credential> <ID>login</ID> <SaveID>ExplicitForms-Username</SaveID> <Type>username</Type> </Credential> <Label> <Text>User name</Text> <Type>plain</Type> </Label> <Input> <AssistiveText>Please supply username</AssistiveText> <Text> <Secret>false</Secret> <ReadOnly>false</ReadOnly> <InitialValue/> <Constraint>.+</Constraint> </Text> </Input> </Requirement> <Requirement> <Credential> <Type>none</Type> </Credential> <Label> <Text> Please submit credentials to continue Login ...</Text> <Type>confirmation</Type> </Label> <Input/> </Requirement> <Requirement> <Credential> <ID>saveCredentials</ID> <Type>savecredentials</Type> </Credential> <Label> <Text>Remember my password</Text> <Type>plain</Type> </Label> <Input> <CheckBox> <InitialValue>false</InitialValue> </CheckBox> </Input> </Requirement> <Requirement> <Credential> <ID>loginBtn</ID> <Type>none</Type> </Credential> <Label> <Type>none</Type> </Label> <Input> <Button>Log On</Button> </Input> </Requirement> </Requirements> </AuthenticationRequirements> </AuthenticateResponse>
References
Authentication to NetScaler using AD FS 4.0 on Server 2016, Citrix FAS, and Azure MFA in Azure Cloud. (2018). Retrieved from https://www.jgspiers.com/authentication-to-netscaler-using-ad-fs-4-0-server-2016-citrix-fas-azure-mfa-azure-cloud/
Configure Azure MFA as authentication provider with AD FS. (2019). Retrieved from https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-and-azure-mfa
Deploying a Federation Server Farm. (2017). Retrieved from https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/deploying-a-federation-server-farm
Federated Authentication Service ADFS deployment. (Current). Retrieved from https://docs.citrix.com/en-us/federated-authentication-service
Guide to deploying NetScaler as an Active Directory Federation Services Proxy. (n.d.). Retrieved from https://docs.netscaler.com/en-us/citrix-adc/current-release/aaa-tm/adfs-proxy-wsfed.html
How it works: Azure Multi-Factor Authentication. (2018). Retrieved from https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks
Planning a cloud-based Azure Multi-Factor Authentication deployment. (2019). Retrieved from https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-getstarted
Tijl Van den Broeck. (Dec 7, 2017). ADFS v3 on Windows Server 2012 R2 with NetScaler. Retrieved from https://www.citrix.com/blogs/2015/05/29/adfs-v3-on-windows-server-2012-r2-with-netscaler/
Transition to hybrid cloud and SaaS with Citrix Gateway. (n.d.). Retrieved from https://www.citrix.com/products/citrix-gateway/resources/netscaler-unified-gateway.html
User sign-in with Azure Active Directory Pass-through Authentication. (2018). Retrieved from https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-pta
Comments