Thursday, 5 February 2015

Netscaler as Saml IdP Provider Configuration in 10.5


I would like to share with you my lab replication of today’s with new Feature of Netscaler as Saml IDP.  

Most of us are aware of Packet flow of Saml Idp and if not then you can google it out

Environment Details:-
Service Provider:- This is my LB Vserver where the initial request will land. https://samlsp.emea.in
Saml AAA:- This is the AAA binded to the LB for Saml. https://samlaaa.emea.in
Saml Idp:- This is the Netscaler Idp for saml. https://samlIdp.emea.in

Configuration:-
First of all you need to have a proper certificate. You can have following Certificates
·        LB Certificate
·        AAA Certificate
·        Saml SP signing Certificate
·        Saml Idp signing Certificate

Or
·        One wild card certificate for all  ( I have used a wild card certificate in my lab)


Packet flow:-
Request to samlsp.emea.in then it will go to samlaaa.emea.in then to samlIdp.emea.in and then after authentication it will come back to samlsp.emea.in and then to Backend server

Load Balance Configuration:-




AAA Saml Configuration:-

LB will redirect the request to local AAA vserver on same NS called Saml AAA vserver







SAML IDP Vserver:-

Saml AAA will redirect the request to the SAML IDP Vserver


LDAP will be used for Authentication at Saml IDP to make sure the user is valid, We can use radius or any other auth as well



Saml should have a priority lower than LDAP or equal to LDAP so that it will hit Saml first





Client Experience and Packet Flow:-

·        User will go to Samlsp.emea.in with hit Saml AAA vserver and will be Redirected to SamlIDP in the background.



·        User will see the SamlIdp.emea.in page and will be challenged for authentication by Saml IDP

·        Saml Post Data
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                    AssertionConsumerServiceURL=https://samlsp.emea.in/cgi/samlauth  Assertion consumer Service url sent by the LB vserver
                    Destination=https://samlidp.emea.in/saml/login  destination where LB redirected for saml authenticate
                    ID="_0d67a779585d65b09755ffedd8606ee7"
                    IssueInstant="2015-02-04T18:38:20Z"   Time when it was issued
                    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                    Version="2.0"
                    >
    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">samlsp.emea.in</saml:Issuer> Saml Issuer name which we gave in the SAML configuration
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
            <ds:Reference URI="#_0d67a779585d65b09755ffedd8606ee7">
                <ds:Transforms>
                    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                <ds:DigestValue>LENs4AZyghHbozU4gif2Gt802L0=</ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>vfxlY4T0XnEOFcRO0JYBOrkzcpjVrmUAOQ/9ID5wHiQb5Is3etu+i5zFQ1T857NRiFwHbI+KnuP2T+VxTeIWJVwBMXRix++cz/9+g83KlvbOLzm/qsk6jbMTCx0K4ElvgJwY7a0xuy62OXk0k3FPUswBCBKd3j762IFgLRciIxo=</ds:SignatureValue>
        <ds:KeyInfo>
            <ds:X509Data>
This is the Binded Certificate used for Signing               <ds:X509Certificate>MIIEwTCCA6mgAwIBAgIKGrfNDAAAAAAALDANBgkqhkiG9w0BAQsFADBIMRIwEAYKCZImiZPyLGQBGRYCaW4xFDASBgoJkiaJk/IsZAEZFgRFTUVBMRwwGgYDVQQDExNFTUVBLVdJTjIwMDhSMkFELUNBMB4XDTEzMDUxMzA4NDYwN1oXDTE1MDUxMzA4NDYwN1owUzELMAkGA1UEBhMCSU4xCzAJBgNVBAgTAktBMRIwEAYDVQQHEwliYW5nYWxvcmUxDzANBgNVBAoTBmNpdHJpeDESMBAGA1UEAxQJKi5lbWVhLmluMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC/DZ9TkkFk1gsvHWEj8HbGtFBwviiugSbNL6FWeuk99s9X9sZ4V5Nwuw8D3ctmwxS5vxFlsBwrwBAWouaXpUEkwGZ/tRGPmFloHyLgYrZE5/seRC+eCgIghHMcZwrV3DOAVpuynoLC5Rox1U+FWMF3FPaxCrTQ6z/z7fopYw+8RQIDAQABo4ICJDCCAiAwHQYDVR0OBBYEFP2BaF1yvpKordan8F/r3L3gjWkxMB8GA1UdIwQYMBaAFNlqPIIUAnCwiW42ElCPhg1lflQTMIHRBgNVHR8EgckwgcYwgcOggcCggb2GgbpsZGFwOi8vL0NOPUVNRUEtV0lOMjAwOFIyQUQtQ0EsQ049V0lOMjAwOFIyQUQsQ049Q0RQLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9RU1FQSxEQz1pbj9jZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2JqZWN0Q2xhc3M9Y1JMRGlzdHJpYnV0aW9uUG9pbnQwgcEGCCsGAQUFBwEBBIG0MIGxMIGuBggrBgEFBQcwAoaBoWxkYXA6Ly8vQ049RU1FQS1XSU4yMDA4UjJBRC1DQSxDTj1BSUEsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1FTUVBLERDPWluP2NBQ2VydGlmaWNhdGU/YmFzZT9vYmplY3RDbGFzcz1jZXJ0aWZpY2F0aW9uQXV0aG9yaXR5MCEGCSsGAQQBgjcUAgQUHhIAVwBlAGIAUwBlAHIAdgBlAHIwDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBCwUAA4IBAQA9AwZtQM6k/AuHVYOTsb90DTjpOF5f5uBAdzJphUvkXlYJ+Vl8mummlNA7n6MdNrylzMpJ/pcpBdL3851gmOEguc6Uio0BjMLx0BTN0J832MRhsfuVmS2EsgTr+FlqB+okpgIJsHDEq0W3AUddq4OuvDT//MpVRCDmefJF8Ef9JZbifX3EobxmCA4YACUcBE5jVB8iI/b2+luePhTC8UqPpit20CjKC08NXMubvFMAldb3p+v/PoJFIRxy41OgnV3pHf7wHiDBlHnZJAIYDq0s1eBnadq/GIg7iJPNxH06Cgz+canVD6MimSQwXn2GzdsCjkbrUeh6eACVIe6ocX66</ds:X509Certificate>
            </ds:X509Data>
        </ds:KeyInfo>
    </ds:Signature>
</samlp:AuthnRequest>



·        Once Authenticated By Ldap a Saml response will be given to IDP


SAML Response DATA

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                Destination="https://samlsp.emea.in/cgi/samlauth"
                ID="_98e6e0ae0f78762e63fe86d97a2545cd"
                InResponseTo="_0d67a779585d65b09755ffedd8606ee7"
                IssueInstant="2015-02-04T18:39:01Z"
                Version="2.0"
                >
    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                 Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
                 >samlsp.emea.in</saml:Issuer>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
    </samlp:Status>
    <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                    ID="_98e6e0ae0f78762e63fe86d97a2545c"
                    IssueInstant="2015-02-04T18:39:01Z"
                    Version="2.0"
                    >
        <saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">samlsp.emea.in</saml:Issuer>
        <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
                <ds:Reference URI="#_98e6e0ae0f78762e63fe86d97a2545c">
                    <ds:Transforms>
                        <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </ds:Transforms>
                    <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                    <ds:DigestValue>MJSuFE+wSSOuKOJ0CNJSnWKOLGI=</ds:DigestValue>
                </ds:Reference>
            </ds:SignedInfo>
            <ds:SignatureValue>qvler4VDtX0qa1Q9FDz3FYhkTvVzL46M+FGekemagDAeI1abflMuS7ShiUdbb3pSf2oJxTtqjzJ0mZr++AmrF5h8VjpOEznFa+bsOF0S0PeBa5cDT40mRZdHIoGUfLzsmG5zRHEO7UYrHQ+fUrr6wXSsyJeqj40e3cxCEyxnZS8=</ds:SignatureValue>
            <ds:KeyInfo>
                <ds:X509Data>
                    <ds:X509Certificate>MIIEwTCCA6mgAwIBAgIKGrfNDAAAAAAALDANBgkqhkiG9w0BAQsFADBIMRIwEAYKCZImiZPyLGQBGRYCaW4xFDASBgoJkiaJk/IsZAEZFgRFTUVBMRwwGgYDVQQDExNFTUVBLVdJTjIwMDhSMkFELUNBMB4XDTEzMDUxMzA4NDYwN1oXDTE1MDUxMzA4NDYwN1owUzELMAkGA1UEBhMCSU4xCzAJBgNVBAgTAktBMRIwEAYDVQQHEwliYW5nYWxvcmUxDzANBgNVBAoTBmNpdHJpeDESMBAGA1UEAxQJKi5lbWVhLmluMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC/DZ9TkkFk1gsvHWEj8HbGtFBwviiugSbNL6FWeuk99s9X9sZ4V5Nwuw8D3ctmwxS5vxFlsBwrwBAWouaXpUEkwGZ/tRGPmFloHyLgYrZE5/seRC+eCgIghHMcZwrV3DOAVpuynoLC5Rox1U+FWMF3FPaxCrTQ6z/z7fopYw+8RQIDAQABo4ICJDCCAiAwHQYDVR0OBBYEFP2BaF1yvpKordan8F/r3L3gjWkxMB8GA1UdIwQYMBaAFNlqPIIUAnCwiW42ElCPhg1lflQTMIHRBgNVHR8EgckwgcYwgcOggcCggb2GgbpsZGFwOi8vL0NOPUVNRUEtV0lOMjAwOFIyQUQtQ0EsQ049V0lOMjAwOFIyQUQsQ049Q0RQLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9RU1FQSxEQz1pbj9jZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2JqZWN0Q2xhc3M9Y1JMRGlzdHJpYnV0aW9uUG9pbnQwgcEGCCsGAQUFBwEBBIG0MIGxMIGuBggrBgEFBQcwAoaBoWxkYXA6Ly8vQ049RU1FQS1XSU4yMDA4UjJBRC1DQSxDTj1BSUEsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1FTUVBLERDPWluP2NBQ2VydGlmaWNhdGU/YmFzZT9vYmplY3RDbGFzcz1jZXJ0aWZpY2F0aW9uQXV0aG9yaXR5MCEGCSsGAQQBgjcUAgQUHhIAVwBlAGIAUwBlAHIAdgBlAHIwDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBCwUAA4IBAQA9AwZtQM6k/AuHVYOTsb90DTjpOF5f5uBAdzJphUvkXlYJ+Vl8mummlNA7n6MdNrylzMpJ/pcpBdL3851gmOEguc6Uio0BjMLx0BTN0J832MRhsfuVmS2EsgTr+FlqB+okpgIJsHDEq0W3AUddq4OuvDT//MpVRCDmefJF8Ef9JZbifX3EobxmCA4YACUcBE5jVB8iI/b2+luePhTC8UqPpit20CjKC08NXMubvFMAldb3p+v/PoJFIRxy41OgnV3pHf7wHiDBlHnZJAIYDq0s1eBnadq/GIg7iJPNxH06Cgz+canVD6MimSQwXn2GzdsCjkbrUeh6eACVIe6ocX66</ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </ds:Signature>
        <saml:Subject>
            <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">farhan</saml:NameID>   Username in NameID format is given here
            <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <saml:SubjectConfirmationData NotOnOrAfter="2015-02-04T18:44:01Z"   
                                              Recipient=https://samlsp.emea.in/cgi/samlauth    Assertion Consumer URL ( where the redirect should happen after success, it should match with IDP Assertion URL configuration)
                                              />
            </saml:SubjectConfirmation>
        </saml:Subject>
        <saml:Conditions NotBefore="2015-02-04T18:34:01Z"
                         NotOnOrAfter="2015-02-04T18:44:01Z"  Validation of SAML issue Time
                         >
            <saml:AudienceRestriction>
                <saml:Audience>https://samlsp.emea.in</saml:Audience>
            </saml:AudienceRestriction>
        </saml:Conditions>
        <saml:AuthnStatement AuthnInstant="2015-02-04T18:39:01Z"
                             SessionIndex="ebb2ad164c4ae90452533640afb09075"
                             >
            <saml:AuthnContext>
                <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
            </saml:AuthnContext>
        </saml:AuthnStatement>
    </saml:Assertion>
</samlp:Response>


Once This is successful the User will be provided with TMAS and TMASS cookie and will be redirect to LB vserver samlsp.emea.in


Once Request will Land on the LB vserver again with the authenticated cookie then Netscaler will allow it 




Overall on Client we will see following requests.