100%(3)3 out of 3 people found this document helpful
This preview shows page 39 - 42 out of 110 pages.
Exercise 3-4: Configure NetScaler as SAML SP and IDP In this exercise, You will configure NetScaler as SAML Service provider and SAML Identity provider. You will use the Configuration Utility to perform this exercise. Before we start with the exercise let us discuss the connection flow with SAML •The SP trusts the IdP (trust relationship) •The user connects to service, protected by SP. (In this scenario NetScaler Gateway) •The user is redirected by SP to IdP to authenticate (SAML Request signed by SP) •user brings SAML Request to IdP and authenticates (In this scenario AAA Vserver with LDAP bound to check the AD database) •IdP creates SAML assertion after successful authentication and redirects back to SP (SAML assertion signed by IdP). •SP validates SAML assertion and uses values for authorization. In this exercise, you will perform the following tasks: •Configure SAML IDP Policy. •Configure AAA Vserver and bind the SAML IDP Policy to the vserver. •Configure SAML SP Policy and bind it to the NetScaler Gateway Vserver. Configure NetScaler as IDP Step Action 1.Connect to the NetScaler configuration utility for the HA Pair using the NSMGMT SNIP at . Log into the utility using the following credentials: User Name: nsrootPassword: nsroot 2.Enable AAA Application Traffic •Navigate to Security> AAA- Application Traffic.•If you observe a yellow (!)icon, right click on it. •Click Enable Feature
40 3.Configure AAA Vserver •Navigate to Security > AAA - Application Traffic >Authentication Virtual Servers•Click Add•Enter Name as vsrv_aaa•Confirm if in the IP Address Type field IP Addressis selected •Enter IP Address as 172.21.10.108•Observe that the port and protocol are selected as 443and SSLrespectively •Click OK 4.Bind Certificate to the AAA Vserver •In the Certificate section, Click No Server Certificate •Click Click to select•Select wc.training-certkey •Click Bind•Click Continue5.Bind LDAP Policy to the AAA Vserver •Click No Authentication Policy •In the Select Policy file, Click Click to select •Select the LDAPpolicy •Click Select•Click Bind•Click Continue•Click Done6.Configure SAML IDP Profile •Navigate to Security>AAA - Application Traffic>Policies>Authentication>Advanced Policies>SAML IDP •Click Profiles•Click Add•Enter Name as SAML_IDP_Prof •Enter Assertion Consumer Service Url as•Select IDP Certificate Name as wc-training-certkey •Select SP Certificate Name as wc-training-certkey •Select Encrypt Assertion•Select Encryption Algorithm as AES256•Enter Issuer Name as •Let the other settings be default •Click CreateNote:in this scenario we have a wildcard certificate in the lab so we will be using the same certificate on IDP and SP. However, in the production you may use separate certificates
41 7.Configure SAML IDP Policy •Navigate to Security>AAA - Application Traffic>Policies>Authentication>Advanced Policies>SAML IDP •Click Policies•Click Add•Enter Name as SAML_IDP_Pol •Select Action as SAML_IDP_Prof •