The Block/Flow diagram
Please note that you need to generate the key for the IDP certificate on the NS which will be acting as IDP and the other certificates on the NS which will act as SP and as a rule of thumb you should NEVER need to export a private key out of the Hardware on which it was generated
1> Enable AAA on Netscaler Devices.
Certifcates
1> One certificate for your SAML IDP - (idp.sun.ad)
2> One certificate for your SAML SP - (sp.sun.ad)
3> One certificate for your virtual Server - (webserver.sun.ad)
Add all these certificates, along with the CA certificate chain on both the Netscalers.
Please note that you need to generate the key for the IDP certificate on the NS which will be acting as IDP and the other certificates on the NS which will act as SP and as a rule of thumb you should NEVER need to export a private key out of the Hardware on which it was generated
.
Netscaler as SAML IDP.
1> Enable AAA on Netscaler Devices.
2> MAke sure the clocks on all the parties(IDP, SP, AD, Webserver) involved here are in synch.
3> Create the Authentication Polices and Profiles
3.1> Create the SAML IdP Profile -
"NetScaler -> Security -> AAA – Application Traffic -> Policies -> Authentication -> Basic Policies -> SAML IdP"
3.2> Create the back-end user validation (LDAP/AD) Server. I have my Windows 2008 domain controller SUN.AD
NetScaler -> Security -> AAA – Application Traffic -> Policies -> Authentication -> Basic Policies -> LDAP and hit the tab Servers.
Click the Add Button to add a server
4> Add the SAML IdP AAA vServer
4.1> Create the AAA vServer
Goto NetScaler -> Security -> AAA Application Traffic -> Virtual Servers and click Add.
5> Point your SAML Service Provider towards the NetScaler AAA vServer(idp.sun.ad)
Next step is to redirect the SAML SP towards to created AAA IdP so we can authenticate users. We will set up Netscaler as SP in the section below and point it towards the URL - https://idp.sun.ad/saml/login .
SAML SP config on NS to follow....
