Using NetScaler as OpenID Connect SP with ADFS as IDP

How do you configure Citrix NetScaler OpenID Connect Service Provider with Microsoft ADFS as OpenID Connect Identity Provider? I’ve tried making it easy to understand and how you do it using CLI (NetScaler CLI and powershell).

Read this post for doing this with SAML.

Before we begin, let us look at what we need to establish the federation:

  • NetScaler (with at least Enterprise license)
  • Active Directory domain and ADFS (read this post if you want to load balance and use NetScaler as ADFS Proxy)
  • Website (lb vserver) we want to protect with AAA (will be referred to as the service provider)
  • AAA vserver to bind OpenID Connect (OAuth) Service Provider policy

In my case, the following FQDNs are used:

  • LB vserver: webapp-test.domain.com / LB-WEBAPP-TEST
  • AAA vserver: sp.domain.com / AAA-SP-DOMAIN.COM (note: it will actually not be access by the web browser)
  • ADFS: adfs.domain.com

Compared to SAML, we need to create the IDP policy on ADFS before configuring NetScaler:

Note: Generate the random UUID for the client secret using any way you want, It doesn’t have to be a UUID but is common. This site can be used.

Now we need to create the OIDC Service Provider action and profile, as well as bind it to the AAA vserver:

(Note: As I stated before, this policy is bound to the AAA vserver but the expression is matching the hostname of the LB vserver – since the web browser actually never is redirected to the AAA vserver in this scenario)

As a last step, create (if it isn’t already) an authentication profile and bind it to the LB vserver:

Remember that the NetScaler does query the IDP for the keys periodically as well as sending the code to the token endpoint to receive the access_token, refresh_token and id_token (which it uses to extract the UPN). Just the same as with SAML, the browser will never hit the AAA vServer. See below for a screenshot of a capture where the NetScaler (SNIP) sends a request to ADFS (behind the scenes):

For troubleshooting, remember to enable Enhanced Authentication Feedback and to look at both ns.log and the ADFS servers eventviewer for information:

Disclaimer: All information on this blog is offered "as is" with no warranty. It is strongly recommended that you verify all information and validate all scripts in isolated test environments before using them in production environments.