Professional Documents
Culture Documents
<Partner Product>
Table of Contents
Table of Contents................................................................................................................................2
Solution Summary ...............................................................................................................................3
Supported Authentication Methods by Integration Point ........................................................................4
Configuration Summary .......................................................................................................................5
RSA SecurID Access Configuration .......................................................................................................6
RSA Cloud Authentication Service Configuration ................................................................................6
RSA Authentication Manager Configuration ...................................................................................... 13
Partner Product Configuration ............................................................................................................ 14
Before You Begin ........................................................................................................................... 14
Configure an Authentication Policy .................................................................................................. 15
Bind the SecurID Access Authentication Policy ................................................................................. 40
Configure Risk-Based Authentication ............................................................................................... 44
Login Screenshots ............................................................................................................................. 52
Certification Checklist for RSA SecurID Access .................................................................................... 54
-- 2 -
Citrix Systems, Inc.
NetScaler Gateway
Solution Summary
Citrix NetScaler can integrate with RSA Cloud Authentication Service by using RADIUS or SAML.
When integrated via RADIUS, users can use policy-driven multi-factor authentication for cases where
authentication happens either in the Web browser or in Citrix Receiver. SSO into StoreFront can be
maintained using a single primary RADIUS authentication policy.
When integrated via SAML, users can use policy and context-driven multi-factor authentication for cases
where authentication happens in the Web browser. SSO into StoreFront can be maintained by using an
nFactor policy with RSA Cloud IdP with additional authentication only option or by using Citrix Federated
Authentication Service (FAS).
Citrix NetScaler can integrate with RSA Authentication Manager in two different ways:
1. Integrate Citrix NetScaler with RSA Authentication Manager using a RADIUS authentication
policy. If SSO to StoreFront is needed, include an authentication policy for AD as well.
2. Install the RSA Authentication Agent for Citrix StoreFront on your Citrix StoreFront server(s) and
integrate Citrix NetScaler with Citrix StoreFront using a Delegated Forms Authentication (DFA)
authentication policy. If SSO to StoreFront is needed, the agent can securely store and retrieve
the users’ AD credentials for the user during logon.
Both approaches will allow users to authenticate with RSA SecurID in cases where authentication
happens in the Web browser or in Citrix Receiver.
Citrix NetScaler can also be configured with RSA Authentication Manager for Risk-Based Authentication
(RBA). When configured, users can be authenticated using RBA in cases where authentication happens
in the Web browser. SSO into Citrix StoreFront can be maintained by using the RSA Authentication Agent
for Citrix StoreFront with DFA policy integration approach.
RSA SecurID Access Features
Citrix NetScaler 12.0
On Premise Methods
RSA SecurID ✔
On Demand Authentication ✔
Risk-Based Authentication (AM) ✔
Cloud Authentication Service Methods
Authenticate App ✔
FIDO Token ✔
SSO
SAML SSO ✔
HFED SSO -
Identity Assurance
-- 3 -
Citrix Systems, Inc.
NetScaler Gateway
IDR Cloud
Authentication Methods REST HFED RADIUS
SAML SAML
RSA SecurID - ✔ ✔ - ✔
LDAP Password - ✔ ✔ - ✔
Authenticate Approve - ✔ ✔ - ✔
Authenticate Tokencode - ✔ ✔ - ✔
Device Biometrics - ✔ ✔ - ✔
SMS Tokencode - ✔ ✔ - ✔
Voice Tokencode - ✔ ✔ - ✔
FIDO Token ✔ ✔ -
UDP TCP
Authentication Methods REST RADIUS
Agent Agent
RSA SecurID - ✔ ✔ -
AM RBA ✔ ✔
✔ Supported
- Not supported
n/t Not yet tested or documented, but may be possible
-- 4 -
Citrix Systems, Inc.
NetScaler Gateway
Configuration Summary
All of the supported use cases of RSA SecurID Access with Citrix NetScaler Gateway require both server-
side and client-side configuration changes. This section of the guide includes links to the appropriate
sections for configuring both sides for each use case.
RSA Cloud Authentication Service – Citrix NetScaler Gateway can be integrated with RSA Cloud
Authentication Service in the following way(s):
SAML via RSA Identity Router (IdP)
Cloud Authentication Service – Identity Router IdP Configuration
Citrix NetScaler Gateway SAML SP Configuration
SAML via RSA Cloud (IdP) All authentication option
Cloud Authentication Service – Cloud IdP Configuration
Citrix NetScaler Gateway SAML SP Configuration
SAML via RSA Cloud (IdP) Additional authentication only option
Cloud Authentication Service – Cloud IdP Configuration
Citrix NetScaler Gateway – nFactor LDAP to SAML Configuration
RADIUS
Cloud Authentication Service RADIUS Server Configuration
Citrix NetScaler Gateway RADIUS Configuration
RSA Authentication Manager – Citrix NetScaler Gateway can be integrated with RSA Authentication
Manager in the following way(s):
RADIUS
Authentication Manager RADIUS Server Configuration
Citrix NetScaler Gateway RADIUS Client Configuration
DFA + RSA Authentication Agent for Citrix StoreFront
Citrix StoreFront DFA Configuration
Risk-Based Authentication - RADIUS
Authentication Manager Risk-Based Configuration
Citrix NetScaler Gateway Risk-Based Authentication Configuration
Risk-Based Authentication – DFA + RSA Authentication Agent for Citrix StoreFront
Authentication Manager Risk-Based Configuration
Citrix NetScaler Gateway Risk-Based Authentication Configuration
-- 5 -
Citrix Systems, Inc.
NetScaler Gateway
2. On the Basic Information page, specify the application name and click Next Step.
3. On the Connection Profile page, choose IDP–initiated and POST as the method for SAML
Request and scroll down to SAML Identity Provider (Issuer) section.
-- 6 -
Citrix Systems, Inc.
NetScaler Gateway
4. Upload the certificate and the private key, then scroll down to the Service Provider section.
5. Enter the Assertion Consumer Service (ACS) URL, the Audience (Service Provider Entity
ID) and scroll down to the User Identity section.
-- 7 -
Citrix Systems, Inc.
NetScaler Gateway
6. Set the Identifier Type to Email Address and Property to mail and click Next Step.
7. On the User Access page, select the desired user policy from the drop down list and click Next
Step.
Refer to the NetScaler SAML Policy Configuration section for instructions on how to configure the
service provider for SAML SSO.
-- 8 -
Citrix Systems, Inc.
NetScaler Gateway
-- 9 -
Citrix Systems, Inc.
NetScaler Gateway
3. Enter a Name for the relying party and click Next Step.
-- 10 -
Citrix Systems, Inc.
NetScaler Gateway
5. Enter the Assertion Consumer Service URL, Service Provider Entity ID and click Save and
Finish.
-- 11 -
Citrix Systems, Inc.
NetScaler Gateway
6. Select the Edit pulldown list and choice View or Download IdP Metadata.
7. Make a note of the entityID value and click Cancel to close the window. This is the same value as
the IdP’s SSO Sign-In URL.
Refer to the NetScaler SAML Policy Configuration section for instructions on how to configure the
service provider for SAML SSO.
RADIUS
To configure RADIUS for Cloud Authentication Service for use with a RADIUS client, you must first
configure a RADIUS client in the RSA SecurID Access Console.
Logon to the RSA SecurID Access console and browse to Authentication Clients > RADIUS > Add
RADIUS Client and enter the Name, IP Address and Shared Secret. Click Publish to push your
configuration change to the RADIUS server.
RSA Cloud Authentication RADIUS server listens on port UDP 1812.
-- 12 -
Citrix Systems, Inc.
NetScaler Gateway
UDP Agent
To configure your RSA Authentication Manager for use with a UDP-based agent, you must create an
agent host record in the Security console of your Authentication Manager and download its configuration
file (sdconf.rec).
Hostname: Configure the agent host record name to match the hostname of the agent.
IP Address: Configure the agent host record to match the IP address of the agent.
Risk-Based Authentication
To configure your RSA Authentication Manager for risk-based authentication with Citrix NetScaler
Gateway, you must create an agent host record and enable it for risk-based authentication in the RSA
Authentication Manager Security Console. You will need to download the sdconf.rec and the risk-based
authentication integration script for the appropriate device type to configure the agent. RSA
Authentication Manager can integrate risk-based authentication with UDP-based or RADIUS agents only.
The latest risk-based authentication script template is at the following link.
For RADIUS integration approach
https://sftp.rsa.com/human.aspx?Username=partner&password=RSAS3cur3d!&arg01=228
719215&arg12=downloaddirect&transaction=signon&quiet=true
For DFA + RSA Authentication Agent for Citrix StoreFront integration approach
https://sftp.rsa.com/human.aspx?Username=partner&password=RSAS3cur3d!&arg01=458
478494&arg12=downloaddirect&transaction=signon&quiet=true
Download this file and copy it to the following directory in your primary RSA Authentication Manager
server.
/opt/rsa/am/utils/rba-agents
Please refer to RSA documentation for more information on RBA integration scripts.
-- 13 -
Citrix Systems, Inc.
NetScaler Gateway
Configuration Overview
Configure an Authentication Policy
SAML
RADIUS
DFA (for use with RSA Authentication Agent for Citrix StoreFront)
nFactor (LDAP to RSA Cloud IdP)
Bind the SecurID Access Authentication Policy
Configure NetScaler Gateway with Risk Based Authentication
RADIUS
DFA + RSA Authentication Agent for Citrix StoreFront
-- 14 -
Citrix Systems, Inc.
NetScaler Gateway
2. Enter a Name for the Authentication SAML Policy and click the + to add a server.
-- 15 -
Citrix Systems, Inc.
NetScaler Gateway
Enter a Name.
Add and/or select your public certificate from the IDP Certificate Name dropdown menu.
Copy the URL from the Identity Provider URL field in the SecurID Access application into the Redirect URL
field.
Enter mail into the User Field.
4. Enter ns_true into the Expression field and click Create.
The SAML authentication policy is complete. Proceed to the Bind SecurID Access Authentication
Policy section of this guide.
-- 16 -
Citrix Systems, Inc.
NetScaler Gateway
-- 17 -
Citrix Systems, Inc.
NetScaler Gateway
3. Configure the RADIUS server settings for Authentication Manager or Cloud Authentication Service and
click Create.
The RADIUS authentication policy is complete. Proceed to the Bind SecurID Access Authentication
Policy section of this guide.
-- 18 -
Citrix Systems, Inc.
NetScaler Gateway
-- 19 -
Citrix Systems, Inc.
NetScaler Gateway
The DFA authentication policy is complete. Proceed to the Bind the SecurID Access Authentication
Policy section of this guide.
-- 20 -
Citrix Systems, Inc.
NetScaler Gateway
2. Add a Name, set IP Address Type to Non Addressable and click OK.
-- 21 -
Citrix Systems, Inc.
NetScaler Gateway
4. Select the Server Certificate from the drop-down menu and click Bind.
-- 22 -
Citrix Systems, Inc.
NetScaler Gateway
5. Click Continue and Continue again to complete the AAA virtual server.
-- 23 -
Citrix Systems, Inc.
NetScaler Gateway
3. Click to open the LoginSchema folder, scroll down to SingleAuth.xml and click Select.
-- 24 -
Citrix Systems, Inc.
NetScaler Gateway
4. Click More to show advanced options. Enter 1 in the User Credential Index field, enter 2 in the
Password Credential Index field, mark the checkbox to Enable Single Sign On Credentials
and click Create.
5. Browse to Configuration > Security > AAA – Application Traffic > Login Schema and click
Add to add a new Login Schema policy.
-- 25 -
Citrix Systems, Inc.
NetScaler Gateway
6. Enter a Name, select your Authentication Login Schema profile from the Profile drop-down menu,
enter a Rule and click Create.
7. Browse to Configuration > Security > AAA – Application Traffic > Virtual Servers and click to
edit your AAA virtual server.
-- 26 -
Citrix Systems, Inc.
NetScaler Gateway
9. Highlight your Authentication Login Schema policy from the list and click Select.
10. Click Bind to bind the policy and then Done to save the changes.
-- 27 -
Citrix Systems, Inc.
NetScaler Gateway
2. Enter a Name, select LDAP from the Authentication Type drop-down menu and click + to add a
new Action.
-- 28 -
Citrix Systems, Inc.
NetScaler Gateway
5. Browse to Configuration > Security > AAA – Application Traffic > Policies > Authentication
> Advanced Policies > PolicyLabel and click Add.
-- 29 -
Citrix Systems, Inc.
NetScaler Gateway
-- 30 -
Citrix Systems, Inc.
NetScaler Gateway
-- 31 -
Citrix Systems, Inc.
NetScaler Gateway
11. Choose END from the Goto Expression drop-down menu and click Bind.
-- 32 -
Citrix Systems, Inc.
NetScaler Gateway
-- 33 -
Citrix Systems, Inc.
NetScaler Gateway
3. Configure the Policy Binding and click Bind and then Done to save your changes.
Select your AD/LDAP policy from the Select Policy drop-down menu.
Select NEXT from the Goto Expression drop-down menu
Select your SAML policylabel from the Select Next Factor drop-down menu.
Configure and Bind the AAA Authentication Profile
1. Browse to Configuration > Security > AAA – Application Traffic > Authentication Profile
and click Add.
-- 34 -
Citrix Systems, Inc.
NetScaler Gateway
2. Enter Name, Authentication Host, select your AAA virtual server from the Authentication
Virtual Server drop-down menu and click Create.
Note: The value entered into the Authentication Host field is trivial but required. It is optional when
configuring via shell.
3. Browse to Configuration > NetScaler Gateway > Virtual Servers and edit your NetScaler
Gateway virtual server.
-- 35 -
Citrix Systems, Inc.
NetScaler Gateway
5. Select your nfactor authentication profile from the Authentication Profile drop-down menu and
click OK and Done to complete the virtual server configuration.
-- 36 -
Citrix Systems, Inc.
NetScaler Gateway
2. Enter a Name for the traffic policy and click + to add a new Request Profile.
-- 37 -
Citrix Systems, Inc.
NetScaler Gateway
5. Browse to Configuration > NetScaler Gateway > Virtual Servers and click to edit your virtual
server.
-- 38 -
Citrix Systems, Inc.
NetScaler Gateway
7. Select Traffic from the Choose Policy drop-down menu and click Continue.
8. Choose your traffic policy from the Select Policy drop-down menu and click Bind.
Your NetScaler Gateway virtual server is now configured for LDAP authentication with step-up to RSA
Cloud Authentication Service with LDAP credential pass-through to StoreFront.
-- 39 -
Citrix Systems, Inc.
NetScaler Gateway
-- 40 -
Citrix Systems, Inc.
NetScaler Gateway
1. Logon to the NetScaler Gateway web administration console and browse to Configuration >
NetScaler Gateway and click to edit the NetScaler Gateway Virtual Server.
3. Select RADIUS or SAML Policy and Primary or Secondary Type and click Continue.
-- 41 -
Citrix Systems, Inc.
NetScaler Gateway
-- 42 -
Citrix Systems, Inc.
NetScaler Gateway
8. Repeat the steps in this section to bind failover / replica server instances. Change the Priority value
to reflect the order in which server instances should be tried.
9. Click Done when finished.
-- 43 -
Citrix Systems, Inc.
NetScaler Gateway
RADIUS
This solution requires that the following components have already been installed and configured:
Citrix NetScaler configured with:
Virtual server
Primary RADIUS policy with no other authentication policies
-- 44 -
Citrix Systems, Inc.
NetScaler Gateway
5. Add the following lines to rc.netscaler. These commands will instruct the NetScaler Gateway to re-
copy your modified files into the vpn directory during each boot sequence:
> echo cp /var/customizations/am_integration.js.mod
/netscaler/ns_gui/vpn/am_integration.js >> /nsconfig/rc.netscaler
-- 45 -
Citrix Systems, Inc.
NetScaler Gateway
2. Insert the highlighted text on its own line following the <body> tag.
<body>
<script type="text/javascript" src="/logon/LogonPoint/am_integration_servername.js"></script>
3. Insert the highlighted text on its own line above the </body> tag.
<script>
window.onload=receiveCredentialsFromRBA();
</script>
</body>
-- 46 -
Citrix Systems, Inc.
NetScaler Gateway
6. Execute the following shell commands on the device to copy these files to the customization
directory:
> shell
> cd /netscaler/logon/LogonPoint
> cp am_integration_servername.js /var/customizations/am_integration_servername.js.mod
> cp index_servername_rba.html /var/customizations/index_servername_rba.html.mod
> cp rba_logon.html /var/customizations/rba_logon.html.mod
-- 47 -
Citrix Systems, Inc.
NetScaler Gateway
-- 48 -
Citrix Systems, Inc.
NetScaler Gateway
5. Enter the Name, select Redirect from the Type drop-down menu, add the RBA target URL into the
Expression field and click Create.
-- 49 -
Citrix Systems, Inc.
NetScaler Gateway
-- 50 -
Citrix Systems, Inc.
NetScaler Gateway
-- 51 -
Citrix Systems, Inc.
NetScaler Gateway
Login Screenshots
Login screen:
-- 52 -
Citrix Systems, Inc.
NetScaler Gateway
Next Tokencode:
-- 53 -
Citrix Systems, Inc.
NetScaler Gateway
RSA SecurID - ✔
LDAP Password - ✔
Authenticate Approve - ✔
Authenticate Tokencode - ✔
Device Biometrics - ✔
SMS Tokencode - ✔
Voice Tokencode - ✔
FIDO Token -
RSA SecurID - - - ✔
RSA SecurID Software Token Automation - - - ✔
On Demand Authentication - - - ✔
Risk-Based Authentication - ✔
-- 54 -