Skip to content
Access
Visit Access on GitHub
Set theme to dark (⇧+D)

Citrix ADC SAML

Cloudflare Access can integrate with Citrix ADC (formerly Citrix NetScaler ADC) as a SAML IdP. Documentation from Citrix shows you how to configure Citrix ADC as a SAML IdP. These steps are specific to Access.

Configure SAML

  1. Configure 2 SAML certificates:

    • A certificate to terminate TLS at the vServer.

    • A certificate for signing SAML assertions. If you do not already have a certificate for signing SAML assertions, you can use a self-signed certificate generated on Citrix ADC by following these steps:

      1. Navigate to Traffic Management > SSL.
      2. Select Create and Install a Server Test Certificate.

      Citrix AD Configuration

  2. Select Configuration and enter a Certificate File Name, Fully Qualified Domain Name, and a select a Country.

    Citrix AD Create and Install Test Certificate

  3. Create a publicly accessible authentication vServer and configure the user identity source (like, local users, LDAP) by following this Citrix documentation.

    For the rest of this example, the user refers to the IdP address idp.yourdomain.com.

  4. Navigate to Security > AAA - Application Traffic > Policies > Authentication > Advanced Policies > SAML IDP to add a new profile.

    Include the following required configuration details:

    • Name: This is the IdP certificate name you defined in Step 1.

    • Assertion Consumer Service URL:

      https://example.cloudflareaccess.com/cdn-cgi/access/callback
    • IdP Certificate Name: This is the certificate name you defined in Step 1.

    • Issuer Name: https://idp.<yourdomain>.com/saml/login

    • Service Provider ID: https://idp.<yourdomain>.com/saml/login

    • Name ID Format: EmailAddress

    • Attribute 1: email = AAA.USER.ATTRIBUTE("email")

      Cloudflare Access currently sends the IdP address in place of the Service Provider ID for the AuthN request.

      Citrix AD Configure Authentication SAML IDP Profile

  5. Create an Authentication Policy that refers to the Profile just created, and bind it to the authentication vServer mentioned above.

    Citrix AD Configure Authentication SAML IDP Policy

    To configure all of the above using just the CLI, run the following:

    add authentication samlIdPProfile samlProf_CloudflareAccess \    -samlIdPCertName SAML_Signing \    -assertionConsumerServiceURL "https://example.cloudflareaccess.com/cdn-cgi/access/callback" \    -samlIssuerName "https://idp.yourdomain.com/saml/login" \    -rejectUnsignedRequests OFF \    -NameIDFormat emailAddress \    -Attribute1 email \    -Attribute1Expr "AAA.USER.ATTRIBUTE(\"email\")" \    -Attribute1Format Basic \    -serviceProviderID "https://idp.yourdomain.com/saml/login"
    add authentication samlIdPPolicy samlPol_CloudflareAccess -rule true -action samlProf_CloudflareAccessbind authentication vserver nsidp -policy samlPol_CloudflareAccess
  6. Navigate to your Cloudflare dashboard, select the Access app, and click Login Methods.

    Access Login Methods

  7. Select SAML from the identity provider options.

    Access SAML IdP

  8. Configure the fields as follows:

    • Provider Name: Your choice of name

    • Single Sign On URL: The FQDN of the IdP, with the path /saml/login

    • IdP Entity ID/Issuer URL: As above

    • Signing Certificate: Paste in the public certificate you export from the NetScaler

    • Email attribute name: Email address

      Edit your SAML identity provider

  9. Click Save.

  10. Click Test.

    This tests your SAML integration and provides descriptive errors if Access cannot authenticate with your Citrix ADC deployment.

  11. On success, return to the Edit SAML Identity Provider screen and click Save.

  12. Click Close.