NetScaler SAML Authentication Flow: SP-Initiated Login and IdP-Initiated Login

Introduction

NetScaler supports Security Assertion Markup Language (SAML) authentication, enabling secure Single Sign-On (SSO) across various applications. In a SAML authentication setup, the Identity Provider (IdP) is responsible for authenticating users, while the Service Provider (SP) relies on the IdP to verify identities and grant access. This article covers two SAML authentication flows—SP-initiated login and IdP-initiated login—in the context of NetScaler.

Key Components in SAML Authentication

1. Identity Provider (IdP): The server responsible for authenticating users, such as Azure AD or Okta.
2. Service Provider (SP): The application or service that relies on the IdP to authenticate users, such as NetScaler.
3. SAML Assertions: Messages exchanged between SP and IdP that contain authentication statements and other security data.
4. Metadata Files: XML files containing configuration data used to establish trust between the SP and IdP.

SP-Initiated Login Flow

In SP-initiated login, the login process begins at the Service Provider. Users attempt to access an application or service (the SP), which redirects them to the IdP for authentication. Here’s a breakdown of the SP-initiated login flow in NetScaler:

SAML SP-Initiated Authentication Flow on NetScaler

1. User Attempts Access on NetScaler (SP):

   • The principal (user) tries to access a protected resource or application on NetScaler, the Service Provider (SP), without an active session.
   • NetScaler recognizes that the user is not authenticated and initiates a redirection to the Identity Provider (IdP).

2. SP Request Generation:

   • NetScaler generates a SAML authentication request (AuthnRequest) and redirects the user to the IdP with this request.
   • The AuthnRequest contains necessary information, such as the entity ID of NetScaler (SP) and the requested authentication method, allowing the IdP to process the authentication request.

3. IdP Receives SP Request:

   • The IdP receives the SAML AuthnRequest from NetScaler and checks if the user already has an active session.
   • If there is no active session, the IdP prompts the user to authenticate.

4. User Credentials Input:

   • The user provides their credentials (e.g., username and password, or possibly multi-factor authentication) to the IdP.

5. Authentication by IdP:

   • The IdP verifies the user’s credentials using its authentication server (e.g., LDAP, RADIUS, or another authentication mechanism).
   • Once verified, the IdP establishes the user’s identity.

6. IdP Assertion Creation:

   • Upon successful authentication, the IdP generates a SAML assertion (response) containing information about the authenticated user.
   • The SAML assertion is signed by the IdP to ensure security and is sent back to the user’s browser.

7. Assertion Sent to NetScaler:

   • The user’s browser forwards the SAML assertion back to NetScaler (SP) via the Assertion Consumer Service (ACS) URL.

8. SP Validates Assertion:

   • NetScaler verifies the received SAML assertion to ensure it’s from a trusted IdP, that it hasn’t been tampered with, and that the assertion is valid.

9. Access Granted:

   • If the assertion is valid and the user has the necessary permissions, NetScaler grants the user access to the requested resource or application.

This workflow secures user access by allowing NetScaler to leverage the IdP for authentication, using SAML assertions to authenticate and authorize the user for access.

Advantages of SP-Initiated Login:

• Streamlines the login process by automatically redirecting users to the IdP.
• Commonly used when users frequently access the SP and want seamless SSO.

IdP-Initiated Login Flow

In IdP-initiated login, the login process begins at the Identity Provider. Users initiate access from the IdP’s portal, which authenticates them and then redirects them to the SP (NetScaler) with a SAML assertion. Here’s a step-by-step breakdown of the IdP-initiated login flow:

Here is a breakdown of the steps in the SAML IdP-initiated SSO workflow based on the provided image:

1. User Authenticates with IdP:

   • The principal (user) starts the authentication process directly at the Identity Provider (IdP).
   • The user provides their credentials (such as username and password) to log in to the IdP.

2. Authentication by IdP:

   • The IdP verifies the user’s credentials using its authentication server (e.g., LDAP, RADIUS, or other mechanisms).
   • Once the user’s identity is verified, the IdP establishes an authenticated session.

3. IdP Assertion Creation:

   • The IdP generates a SAML assertion, which contains information about the authenticated user.
   • This assertion is signed by the IdP to ensure its authenticity and integrity.

4. Assertion Sent to SP:

   • The IdP sends the SAML assertion to the user’s browser, which then forwards it to the Service Provider (SP), in this case, NetScaler, through the Assertion Consumer Service (ACS) URL.

5. SP Processes the Assertion:

   • The SP (NetScaler) receives the SAML assertion and verifies its validity, checking for the correct signature, integrity, and authenticity.
   • If the assertion is valid, the SP authorizes the user to access the requested resource or application.

6. Access Granted:

   • Once the assertion is validated, NetScaler (SP) grants the user access to the protected resource or application.

This IdP-initiated SSO workflow allows users to authenticate directly with the IdP and be redirected to the SP (NetScaler) with a valid SAML assertion, enabling secure and authenticated access to the resource or application.

Advantages of IdP-Initiated Login:

• Allows users to access multiple applications from a central IdP portal.
• Enables quick access to all authorized applications after a single authentication.

Configuring SAML Authentication on NetScaler

SAML authentication requires establishing a trust relationship between IdP and SP by exchanging certificates and digitally signing assertions. So, if you’re planning to deploy NetScaler as SP or IDP, you should have IDP Certificate to sign the assertion sent to SP and SP Certificate to encrypt conversations between IDP and SP.

Policies/vservers needed for configuring NetScaler as IDP:

• AAA vserver containing basic authentication policy like LDAP or RADIUS. It has basic authentication policy, such as LDAP or RADIUS, already bound to it, which can validate the user credentials, such as username and password.
• SAML IDP Profile: It typically contains parameters, such as ACS URL, IdP Certificate Key pair, SP Certificate, SAML Binding, Signature Algorithm, Digest Method, and so on.
• SAML IDP Policy: It intercepts user traffic and associates this policy with saml idp profile.
• Binding: Binding the SAML IdP policy to the AAA virtual server, which already has the basic authentication policy, such as LDAP or RADIUS bound to it, enables the actual authentication service for validating supplied credentials within the SAML conversation.

Policies/vservers needed for configuring NetScaler as SP:

• AAA vserver: It provides the actual authentication service for validating supplied credentials within the SAML conversation.
• SAML SP action: It typically contains parameters, such as Redirect URL, IdP certificate, SAML Binding, Skew time, and so on.
• SAML SP Policy: It intercepts the client traffic and associates this policy with the SAML action. SAML SP Policy <-> AAA Virtual Server <-> Traffic Management Virtual Server (Load Balancing, Content Switching, or NetScaler Gateway Virtual Server)

SP-Initiated vs. IdP-Initiated Login: Summary

Conclusion

Understanding the difference between SP-initiated and IdP-initiated login flows is essential for configuring SAML authentication on NetScaler effectively. Both methods offer distinct advantages and can be used to streamline user access while maintaining robust security.