SAML

The Block/Flow diagram

Certifcates

     1> One certificate for your SAML IDP - (idp.sun.ad)

    2> One certificate for your SAML SP - (sp.sun.ad)

    3> One certificate for your virtual Server - (webserver.sun.ad)

Add all these certificates, along with the CA certificate chain on both the Netscalers. 

Please note that you need to generate the key for the IDP certificate on the NS which will be acting as IDP and the other certificates on the NS which will act as SP and as a rule of thumb you should NEVER need to export a private key out of the Hardware on which it was generated

.

Netscaler as SAML IDP.

1> Enable AAA on Netscaler Devices. 

2> MAke sure the clocks on all the parties(IDP, SP, AD, Webserver) involved here are in synch.

3> Create the Authentication Polices and Profiles

     

3.1> Create the SAML IdP Profile - 

"NetScaler -> Security -> AAA – Application Traffic -> Policies -> Authentication -> Basic Policies -> SAML IdP"

3.2> Create the back-end user validation (LDAP/AD) Server. I have my Windows 2008 domain controller SUN.AD

NetScaler -> Security -> AAA – Application Traffic -> Policies -> Authentication -> Basic Policies -> LDAP and hit the tab Servers.

Click the Add Button to add a server

4> Add the SAML IdP AAA vServer

4.1> Create the AAA vServer

Goto NetScaler -> Security -> AAA Application Traffic -> Virtual Servers and click Add.

5> Point your SAML Service Provider towards the NetScaler AAA vServer(idp.sun.ad)

Next step is to redirect the SAML SP towards to created AAA IdP so we can authenticate users. We will set up Netscaler as SP in the section below and point it towards the URL - https://idp.sun.ad/saml/login .

SAML SP config on NS to follow....

Day 1 - Plan, assess and compute..

Although I have created a home based lab many a times in the past but have been reinventing the wheel everytime I did that. So this time around I plan to note down the important tricks and tweaks,
Hardware I have -
1> A personal laptop with 6 GBs of RAM which is extendable to 8 GBs and 250 GB HDD. An external 250 GB USB HDD.
2> SKY Broadband connection and a home SKY router which will work as DHCP server in this lab.
3> A work laptop which I will use to install Oracle Virtual Box and XenCenter.
4> I have decided to upgrade the memory on my laptop as I would need at least four VMs running at any given point of time so minimum 8 GB of RAM is a must.
5> A 16 GB USB pen drive.


What I plan to create -
1> Windows AD server. Name of domain will be sun.ad. This server will also act as my DNS server and CA server as well.
2> A cluster of two Netscalers.
3> At least one Citrix XenApp 7.5 Controller, One XenApp server and One Windows 8 VDA.

Execution -
1> Install XenServer 6.5 on my personal LAPTOP.  Install XenServer on the 16GB pendrive as that will leave whole 250 GBs on the local HDD for VMs.
2>  Limit the number of IP addresses to be assigned by the DHCP server by logging in to the SKY router(default user name/password - admin/sky). so that  you can use some of the IPs as static IPs.
I have limited the DHCP assigned range from X.X.0.21 to X.X.0.100. This will allow me to use some initial IPs for important components of my infrastructure.
3> I plan to use the combination of my laptop and virtual box installed linux router to have a "client" VM which will NOT be a part of my "HOME LAN" and I will use that for testing Access Gateway. I will decide and post the details of routing configuration later.

Future -
1> Add another Xenserver.
2> Add an Ubuntu based NFS server.
3> Migrate one of the Netscaler on the new XenServer and configure GSLB.

Good to have
1> SCCM server, Appsense server.
2> Google PAM server.