In a previous article, we examined NetScaler 11.0 The Advanced Authentication and Single Sign-On (SSO) capabilities, such as support for OAuth2.0 and OpenID Connect.
Today we take a look at further improvements take that. The NetScaler act as SAML IDP, with Kerberos includes as the primary client side authentication method, and NTLM as a fallback We use Google Apps as an integration end point for our demonstration
Kerberos provides strong authentication, since it is not transmitted from the user password on the wire will contain. what is exchanged the encrypted value of the hash of the user password and a changing timestamps are involved. Kerberos authentication requires that the customer have joined its domain, and it is capable of the KDC (Key Distribution Center) to reach a domain controller in a Microsoft Windows environment generally. In the event that Kerberos is not available, such as when the end user is external, NTLM authentication kicks.
If we NetScaler as SAML IDP with client-side Kerberos authentication, this means that the NetScaler authenticates the end user with Kerberos; has been completed on the authentication, the NetScaler is the user to Google Apps, by SAML SSO. In particular, the NetScaler generates a SAML assertion to maintain the user identity, and sends them to Google Apps, which acts as a SAML service provider (SP). If claim is authentic reviewed by SAML SP, Google Apps (eg e-mail, calendar. Drive) are to consumers available.
From the perspective of the user, all they have to do is Google Apps URL (eg https://mail.google.com/a/your_domain), and they are with applications (eg email, drive, calendar) will be presented. You should not be prompted credentials when Kerberos authentication was successful, such as Kerberos in the background happens to user data during registration by GINA is obtained. As relapse, the end user is a pop-up window through which they at the credentials for NTLM authentication. for a PoC, there is a 30-day -
this seamless (Kerberos) to provide authentication information, the steps of
- Register Google Apps for your business requires, trial
- Configure Google Apps NetScaler than 3 to use rd party SAML IDP
- Configure NetScaler as SAML IDP
- register AAA VIP FQDN as SPN (service Principal name) recorded on the KDC
For Google Apps configuration, the most critical settings are in red rectangles, shown below. In this PoC "nsidp.hl 'triggers a AAA VIP on the NetScaler created the login page URL should always https:.. // AAA_VIP_FQDN / saml / login' log-out page" "Change Password" and URLs are not important in this phase.
Since all SAML assertions signed with the private key (configured SAML IDP) are provided for signature verification available associating certificate (public key) must.
on the NetScaler and the KDC, we need to create the following points
- AAA vServer and matching certificate
- Negotiate (Kerberos) profile / policy
- register SPN negotiate on the KDC with a user account
- SAMLIDP profile / policy
- LDAP profile / policy (optional)
for the profile, we have the same domain user account, which is also used for the SPN registration. must
To SPN register use, use the following command on a domain Windows computer.
Below is an example SAMLIDP profile,
Add authentication samlIdPProfile TM_SAML_Google_apro -samlIdPCertName Wildcard. hl -assertionConsumerServiceURL "https://www.google.com/a/hahah.eu/acs" -rejectUnsignedRequests OFF -audience "https://www.google.com/a/hahah.eu/ acs "-NameIDFormat nonspecific -NameIDExpr " HTTP.REQ.USER.ATTRIBUTE (1) " -samlBinding REDIRECT
'assertionConsumerServiceURL' refers to the URL the NetScaler sends SAML assertion. It is provided by Google Apps available and to the environment are unique.
The option 'NameIDExpr' as a bridge for the account linking used. This is necessary if the user name or domain names between Google Apps and internal Windows domain differs.
In this PoC, the Windows domain "h.l 'and the domain used in Google Apps, is" hahah. EU '. We must find a way, a domain user (eg Administrator @ hl) to its Google Apps equivalent (eg chriszh@hahah.eu).
One way to link to link the two shown below.
Once the Kerberos authentication is completed for domain users 'administrator@h.l', the user principal name is passed (UPN) for attribute extraction LDAP. The NetScaler has a UPN Search 'administrator@h.l', in the LDAP database and extracts the associated 'mail' attribute value 'chriszh@hahah.eu', as the user for subsequent SAML assertion for Google Apps.
The following is the LDAP profile. that authentication is disabled Note, LDAP login 'UserPrincipalName "is set and" mail "as" attribute1' extracted, which is then referenced in 'NameIDExpr' configuration in SAMLIDP profile (eg -NameIDExpr "HTTP.REQ.USER. ATTRIBUTES (1) ").
Add authentication ldapAction TM_LDAP_asvr -serverIP 172.16.18.3 -ldapBase "dc = h, dc = l" -ldapBindDn administrator @ hl -ldapBindDnPassword 3eeb26b55b96ffd0c98c0f9affe37c7f97272a2849a2584460d538b2588cca85 encrypted -encryptmethod ENCMTHD_3 -ldapLoginName UserPrincipalName -groupAttrName memberOf -subAttributeName CN -ssoNameAttribute userprincipalname -authentication DISABLED -passwdChange RELEASED -Attribute1 mail
Please note that the LDAP policy must be as a secondary bonded, as shown below.
is for browsers that Kerberos authentication is not enabled by default. To enable Kerberos on IE / Chrome, add the AAA VIP URL to the "Trusted sites".
Select "Automatic logon with current username and password" in the security level configuration.
Please note https://ping.force.com/Support/PingFederate/Integrations/How-to-configure-supported-browsers-for-Kerberos-NTLM Instructions for other browsers.
This is it! But how can we tell if it worked? When the user sees all the applications visit immediately after https://mail.google.com/a/hahah.eu, as shown below, then it works. If the user is prompted credentials, it means Kerberos does not work, and it falls back to NTLM authentication.
For completeness below is Kerberos and SAML-related information that can be used for troubleshooting
SAML request of Google Apps .:
SAML response NetScaler IDP:
Kerberos service ticket for 'HTTP / nsidp.h.l', under account ' administrator @ hl '(ticket granting ticket # 0):
In this article we have shown how to configure the NetScaler as SAML IDP, primary with Kerberos and NTLM fallback client authentication and integration with Google Apps. We also showed account mapping between two different environments through LDAP attribute extraction.
Please note that this function NetScaler 64.x 11.0 or later.
I hope you've enjoyed this article!
0 Komentar