I would like to share with you my lab replication of today’s
with new Feature of Netscaler as Saml IDP.
Most of us are aware of Packet flow of Saml Idp and if not
then you can google it out
Environment Details:-
Service Provider:- This is my LB Vserver where the
initial request will land. https://samlsp.emea.in
Saml AAA:- This is the AAA binded to the LB for Saml.
https://samlaaa.emea.in
Saml Idp:- This is the Netscaler Idp for saml. https://samlIdp.emea.in
Configuration:-
First of all you need to have a proper certificate. You can
have following Certificates
·
LB Certificate
·
AAA Certificate
·
Saml SP signing Certificate
·
Saml Idp signing Certificate
Or
·
One wild card certificate for all ( I have
used a wild card certificate in my lab)
Packet flow:-
Request to samlsp.emea.in then it will go to samlaaa.emea.in
then to samlIdp.emea.in and then after authentication it will come back
to samlsp.emea.in and then to Backend server
Load Balance
Configuration:-
AAA Saml
Configuration:-
LB will redirect the request to local AAA vserver on same
NS called Saml AAA vserver
SAML IDP Vserver:-
Saml AAA will redirect the request to the SAML IDP
Vserver
LDAP will be used for Authentication at Saml IDP to make
sure the user is valid, We can use radius or any other auth as well
Saml should have a priority lower than LDAP or equal to
LDAP so that it will hit Saml first
Client Experience and
Packet Flow:-
·
User will go to Samlsp.emea.in with hit Saml
AAA vserver and will be Redirected to SamlIDP in the background.
·
Saml Post Data
<samlp:AuthnRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
AssertionConsumerServiceURL=https://samlsp.emea.in/cgi/samlauth
Assertion consumer Service url sent by the LB vserver
Destination=https://samlidp.emea.in/saml/login
destination where LB redirected for saml authenticate
ID="_0d67a779585d65b09755ffedd8606ee7"
IssueInstant="2015-02-04T18:38:20Z" Time when it was issued
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Version="2.0"
>
<saml:Issuer
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">samlsp.emea.in</saml:Issuer>
Saml Issuer name which we gave in the SAML
configuration
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"
/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"
/>
<ds:Reference URI="#_0d67a779585d65b09755ffedd8606ee7">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"
/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"
/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"
/>
<ds:DigestValue>LENs4AZyghHbozU4gif2Gt802L0=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>vfxlY4T0XnEOFcRO0JYBOrkzcpjVrmUAOQ/9ID5wHiQb5Is3etu+i5zFQ1T857NRiFwHbI+KnuP2T+VxTeIWJVwBMXRix++cz/9+g83KlvbOLzm/qsk6jbMTCx0K4ElvgJwY7a0xuy62OXk0k3FPUswBCBKd3j762IFgLRciIxo=</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
This is the Binded Certificate used for Signing
<ds:X509Certificate>MIIEwTCCA6mgAwIBAgIKGrfNDAAAAAAALDANBgkqhkiG9w0BAQsFADBIMRIwEAYKCZImiZPyLGQBGRYCaW4xFDASBgoJkiaJk/IsZAEZFgRFTUVBMRwwGgYDVQQDExNFTUVBLVdJTjIwMDhSMkFELUNBMB4XDTEzMDUxMzA4NDYwN1oXDTE1MDUxMzA4NDYwN1owUzELMAkGA1UEBhMCSU4xCzAJBgNVBAgTAktBMRIwEAYDVQQHEwliYW5nYWxvcmUxDzANBgNVBAoTBmNpdHJpeDESMBAGA1UEAxQJKi5lbWVhLmluMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC/DZ9TkkFk1gsvHWEj8HbGtFBwviiugSbNL6FWeuk99s9X9sZ4V5Nwuw8D3ctmwxS5vxFlsBwrwBAWouaXpUEkwGZ/tRGPmFloHyLgYrZE5/seRC+eCgIghHMcZwrV3DOAVpuynoLC5Rox1U+FWMF3FPaxCrTQ6z/z7fopYw+8RQIDAQABo4ICJDCCAiAwHQYDVR0OBBYEFP2BaF1yvpKordan8F/r3L3gjWkxMB8GA1UdIwQYMBaAFNlqPIIUAnCwiW42ElCPhg1lflQTMIHRBgNVHR8EgckwgcYwgcOggcCggb2GgbpsZGFwOi8vL0NOPUVNRUEtV0lOMjAwOFIyQUQtQ0EsQ049V0lOMjAwOFIyQUQsQ049Q0RQLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9RU1FQSxEQz1pbj9jZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2JqZWN0Q2xhc3M9Y1JMRGlzdHJpYnV0aW9uUG9pbnQwgcEGCCsGAQUFBwEBBIG0MIGxMIGuBggrBgEFBQcwAoaBoWxkYXA6Ly8vQ049RU1FQS1XSU4yMDA4UjJBRC1DQSxDTj1BSUEsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1FTUVBLERDPWluP2NBQ2VydGlmaWNhdGU/YmFzZT9vYmplY3RDbGFzcz1jZXJ0aWZpY2F0aW9uQXV0aG9yaXR5MCEGCSsGAQQBgjcUAgQUHhIAVwBlAGIAUwBlAHIAdgBlAHIwDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBCwUAA4IBAQA9AwZtQM6k/AuHVYOTsb90DTjpOF5f5uBAdzJphUvkXlYJ+Vl8mummlNA7n6MdNrylzMpJ/pcpBdL3851gmOEguc6Uio0BjMLx0BTN0J832MRhsfuVmS2EsgTr+FlqB+okpgIJsHDEq0W3AUddq4OuvDT//MpVRCDmefJF8Ef9JZbifX3EobxmCA4YACUcBE5jVB8iI/b2+luePhTC8UqPpit20CjKC08NXMubvFMAldb3p+v/PoJFIRxy41OgnV3pHf7wHiDBlHnZJAIYDq0s1eBnadq/GIg7iJPNxH06Cgz+canVD6MimSQwXn2GzdsCjkbrUeh6eACVIe6ocX66</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
</samlp:AuthnRequest>
·
Once Authenticated By Ldap a Saml response
will be given to IDP
SAML Response DATA
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
Destination="https://samlsp.emea.in/cgi/samlauth"
ID="_98e6e0ae0f78762e63fe86d97a2545cd"
InResponseTo="_0d67a779585d65b09755ffedd8606ee7"
IssueInstant="2015-02-04T18:39:01Z"
Version="2.0"
>
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
>samlsp.emea.in</saml:Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</samlp:Status>
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_98e6e0ae0f78762e63fe86d97a2545c"
IssueInstant="2015-02-04T18:39:01Z"
Version="2.0"
>
<saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">samlsp.emea.in</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#_98e6e0ae0f78762e63fe86d97a2545c">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>MJSuFE+wSSOuKOJ0CNJSnWKOLGI=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>qvler4VDtX0qa1Q9FDz3FYhkTvVzL46M+FGekemagDAeI1abflMuS7ShiUdbb3pSf2oJxTtqjzJ0mZr++AmrF5h8VjpOEznFa+bsOF0S0PeBa5cDT40mRZdHIoGUfLzsmG5zRHEO7UYrHQ+fUrr6wXSsyJeqj40e3cxCEyxnZS8=</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIEwTCCA6mgAwIBAgIKGrfNDAAAAAAALDANBgkqhkiG9w0BAQsFADBIMRIwEAYKCZImiZPyLGQBGRYCaW4xFDASBgoJkiaJk/IsZAEZFgRFTUVBMRwwGgYDVQQDExNFTUVBLVdJTjIwMDhSMkFELUNBMB4XDTEzMDUxMzA4NDYwN1oXDTE1MDUxMzA4NDYwN1owUzELMAkGA1UEBhMCSU4xCzAJBgNVBAgTAktBMRIwEAYDVQQHEwliYW5nYWxvcmUxDzANBgNVBAoTBmNpdHJpeDESMBAGA1UEAxQJKi5lbWVhLmluMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC/DZ9TkkFk1gsvHWEj8HbGtFBwviiugSbNL6FWeuk99s9X9sZ4V5Nwuw8D3ctmwxS5vxFlsBwrwBAWouaXpUEkwGZ/tRGPmFloHyLgYrZE5/seRC+eCgIghHMcZwrV3DOAVpuynoLC5Rox1U+FWMF3FPaxCrTQ6z/z7fopYw+8RQIDAQABo4ICJDCCAiAwHQYDVR0OBBYEFP2BaF1yvpKordan8F/r3L3gjWkxMB8GA1UdIwQYMBaAFNlqPIIUAnCwiW42ElCPhg1lflQTMIHRBgNVHR8EgckwgcYwgcOggcCggb2GgbpsZGFwOi8vL0NOPUVNRUEtV0lOMjAwOFIyQUQtQ0EsQ049V0lOMjAwOFIyQUQsQ049Q0RQLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9RU1FQSxEQz1pbj9jZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2JqZWN0Q2xhc3M9Y1JMRGlzdHJpYnV0aW9uUG9pbnQwgcEGCCsGAQUFBwEBBIG0MIGxMIGuBggrBgEFBQcwAoaBoWxkYXA6Ly8vQ049RU1FQS1XSU4yMDA4UjJBRC1DQSxDTj1BSUEsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1FTUVBLERDPWluP2NBQ2VydGlmaWNhdGU/YmFzZT9vYmplY3RDbGFzcz1jZXJ0aWZpY2F0aW9uQXV0aG9yaXR5MCEGCSsGAQQBgjcUAgQUHhIAVwBlAGIAUwBlAHIAdgBlAHIwDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBCwUAA4IBAQA9AwZtQM6k/AuHVYOTsb90DTjpOF5f5uBAdzJphUvkXlYJ+Vl8mummlNA7n6MdNrylzMpJ/pcpBdL3851gmOEguc6Uio0BjMLx0BTN0J832MRhsfuVmS2EsgTr+FlqB+okpgIJsHDEq0W3AUddq4OuvDT//MpVRCDmefJF8Ef9JZbifX3EobxmCA4YACUcBE5jVB8iI/b2+luePhTC8UqPpit20CjKC08NXMubvFMAldb3p+v/PoJFIRxy41OgnV3pHf7wHiDBlHnZJAIYDq0s1eBnadq/GIg7iJPNxH06Cgz+canVD6MimSQwXn2GzdsCjkbrUeh6eACVIe6ocX66</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">farhan</saml:NameID> Username in NameID format is given here
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData NotOnOrAfter="2015-02-04T18:44:01Z"
Recipient=https://samlsp.emea.in/cgi/samlauth Assertion Consumer URL ( where the redirect should happen after success, it should match with IDP Assertion URL configuration)
/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2015-02-04T18:34:01Z"
NotOnOrAfter="2015-02-04T18:44:01Z" Validation of SAML issue Time
>
<saml:AudienceRestriction>
<saml:Audience>https://samlsp.emea.in</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2015-02-04T18:39:01Z"
SessionIndex="ebb2ad164c4ae90452533640afb09075"
>
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
</saml:Assertion>
</samlp:Response>
Once This is successful the User will be provided with TMAS and TMASS cookie and will be redirect to LB
vserver samlsp.emea.in
Once Request will Land on the LB vserver again with the
authenticated cookie then Netscaler will allow it
Overall on Client we will see following requests.