Skip to main content

Integration with Citrix NetScaler

Overview

This document describes the procedure to configure the BlockID Admin Console as a passwordless authentication solution for your organization's Citrix NetScaler users. This integration will allow your users to log in to Citrix NetScaler leveraging their biometrics. The biometric options include Touch ID / Face ID and LiveID.

Before you Begin

You will need the following resources and privileges to complete this integration:

  1. Admin access to the following:
    • BlockID Tenant: If your organization is not registered for the BlockID tenant, visit the Sign Up page to set up a free BlockID tenant for your organization. The 1Kosmos representative will create a tenant URL, community, tenant tag, and a license key for your respective organization within the BlockID platform.
    • NetScaler software release 11.1 or later, with an Enterprise or Platinum license.
  2. Install on your mobile device:

Assumptions

  1. With the above prerequisites, you should now successfully be registered and be able to login to:
    • BlockID Admin Console application. Ensure the email address used to login to this application is the same as the one used to login to the Citrix NetScaler account.
  2. Installed and registered the BlockID mobile application.

There are two sets of configurations that need to be performed to enable this integration:

  1. Configure your BlockID Tenant as an Identity Provider (IDP) within Citrix NetScaler.
  2. Configure Citrix NetScaler as a Service Provider (SP) within your BlockID Tenant.

List of Topics:

  1. Configure your BlockID Tenant as an Identity Provider (IDP) within Citrix NetScaler
  2. Configure Citrix NetScaler as a Service Provider (SP) within your BlockID Tenant
  3. Test the SAML Single Sign-On Connection

Configure your BlockID Tenant as an Identity Provider (IDP) within Citrix NetScaler

Note:

The following steps will be performed by your Citrix NetScaler administrator.

  1. Login to your Citrix NetScaler admin interface as an Administrator.
  2. Navigate to NetScaler Gateway > Policies > Authentication > SAML.
  3. In the SAML configuration page, select Servers and click Add.
  4. In the Create Authentication SAML Server screen, enter the following details:
    • Name: Enter the appropriate name for the BlockID IDP server. For example ‘blockid’.
    • Redirect URL: Copy and paste the SingleSignOnService field’s value mentioned in the Save your organization’s BlockID tenant details.
    • Single Logout URL: Copy and paste the SingleLogoutService URL field’s value mentioned in the Save your organization’s BlockID tenant details section.
    • SAML Binding: Select POST.
    • IDP Certificate Name: select .cert certificate saved as mentioned in the Save your organization’s BlockID tenant details section.
    • User Field: Enter Name ID.
    • Issuer Name: Enter the appropriate meaningful name, for example, <hostname> or <BlockID-Citrix-EntityID>. This should be the same name that will be configured within your BlockID tenant while adding the Citrix NetScaler as a service provider.
    • Signature Algorithm: Select RSA-SHA256.
    • Digest Algorithm: Select SHA256.
    • Select Enforce Username check box.
    • Click Create. The Authentication SAML Server screen is displayed with the newly created server for BlockID in the server’s list.
  5. In the Authentication SAML Server screen:
    • Select the BlockID server and click Generate Metadata.
    • In the Generate Metadata section, enter the following details:
      • FQDN or End Point: Enter your Citrix NetScaler endpoint URL. For example, mydesk.<Your_domain>.com.
      • Protocol: select HTTPS
      • Click Confirm. The XML metadata details will be shown in the text area.
    • Copy the XML metadata details and save the metadata file to use within the BlockID tenant.
    • Click Save.

Configure Citrix NetScaler as a Service Provider (SP) within your BlockID Tenant

Save your organization’s BlockID tenant details

  1. Open the web browser and enter your organization’s BlockID tenant’s metadata URL in the following format: https://<customer_name>.1kosmos.net/default/metadata The XML metadata information file is displayed.
  2. From the XML metadata information file, copy and save the values of the following keys to use while performing the Citrix NatScaler SAML integration configuration:
    • entityID: The example of its value is: https:// <customer_name>.1kosmos.net/default/idp1
    • SingleSignOnService URL: https://<customer_name>.1kosmos.net/default/SingleSignOnService
    • SingleLogoutService URL: https://<customer_name>.1kosmos.net/default/SingleSignOnService
    • X509Certificate:
      • Copy the certificate details and save them in the following format: 
        -----BEGIN CERTIFICATE-----
        Certificate details
        -----END CERTIFICATE-----
      • Save the certificate with .cert extension.

Set IDP Assertion Claim details

Perform the below-mentioned steps:

  1. Login to BlockID Admin Console, navigate to Administration Console > Federation > SAMLv2. The SAMLv2 screen is displayed.
  2. In the IDP Assertion Claims Mapping tab, link the appropriate LDAP and Session attribute values to the Claims for each Label.
    • Map the nameIdentifier to email.
    • Click Save.
Note:

These mapped fields will be available in the SAMLv2 > Service Providers > SP Assertion Claims Mapping tab for the imported service provider.

Add Citrix NetScaler as a Service Provider

  1. In the SAMLv2 screen, click Service Providers.

  2. In the Service Providers List screen, from the One-Click Rapid Service Provider Onboarding section, click on the Citrix NetScaler option.

  3. In the Onboard Citrix as a SAMLv2 Service Provider window, enter details for the following fields:

    • Application Label: Enter the appropriate name for your organization’s Citrix application as a service provider.
    • Entity ID: Enter the unique entityId URL specified in your single-sign on settings in Citrix. This will the same value mentioned in the Issuer Name field added while performing configurations at Citrix end in the “Configure your BlockID Tenant as an Identity Provider (IDP) within Citrix NetScaler” section.
    • Login URL: Enter the login URL specified in your single-sign on settings in Citrix NetScaler.
    • Click Onboard Citrix.

  4. Click on the newly added Citrix NetScaler as a service provider link.

  5. In the Edit screen:

    • In the SP Core Configuration tab: check the following details are selected:
      • Select the checkbox for each request/response that should be signed: ensure that the Assertion and Authentication Request options are selected.
      • NameID Value: nameidentifier.
    • In the SP Assertion Claims Mapping tab: Select the checkbox for the following options:
      • nameIdentifier
    • In the SP Service URL End Points tab:
      • Select POST.
      • Ensure Citrix NetScaler login URL is added.
    • Click Confirm and Save.

Test the SAML Single Sign-On Connection

  1. In your browser, enter your organization’s Citrix NetScaler URL. You will be redirected to the BlockID Admin console’s login screen is displayed with the barcode to be scanned from your BlockID mobile app.
  2. On the BlockID mobile application’s Home screen, click ‘Scan QR’.
  3. Scan the QR code. The confirmation pop-up window is displayed asking to Allow BlockID to access this device’s location?.
  4. In the confirmation pop-up window, select Allow only while using the app. The Authentication screen is displayed with the Please authenticate using <Biometric_option> from 1kosmos message.
  5. Click Authenticate and perform the appropriate authentication method. The pop-up window is displayed with Thank you! You have successfully authenticated to Log In message upon successful authentication.
  6. You will be logged in to your Citrix NetScaler account.