Skip to content
Cloudflare for Teams
Visit Cloudflare for Teams on GitHub
Set theme to dark (⇧+D)

SAML | Citrix ADC

Cloudflare for Teams can integrate with Citrix ADC (formerly Citrix NetScaler ADC) as a SAML IdP. Documentation from Citrix shows you how to configure Citrix ADC as a SAML IdP. These steps are specific to Teams.

Set up Citrix ADC (SAML)

To set up Citrix ADC (SAML) as your identity provider:

  1. First, you'll need to configure 2 SAML certificates:

    • A certificate to terminate TLS at the vServer.

    • A certificate for signing SAML assertions.

    If you do not already have a certificate for signing SAML assertions, you can use a self-signed certificate generated on Citrix ADC by following these steps:

    1. Navigate to **Traffic Management > SSL**.2. Select **Create and Install a Server Test Certificate**.

    Citrix AD Configuration

  2. Select Configuration and enter a Certificate File Name, Fully Qualified Domain Name, and a select a Country.

    Citrix AD Create and Install Test Certificate

  3. Create a publicly accessible authentication vServer and configure the user identity source (like, local users, LDAP) by following this Citrix documentation.

    For the rest of this example, the user refers to the IdP address idp.yourdomain.com.

Add a new profile

  1. Navigate to Security > AAA - Application Traffic > Policies > Authentication > Advanced Policies > SAML IDP to add a new profile.

    Include the following required configuration details:

    FieldDescription
    NameThe certificate name you defined while configuring SAML
    Assertion Consumer Service URLhttps://<your-team-name>.cloudflareaccess.com/cdn-cgi/access/callback
    IdP Certificate NameThe IdP certificate name you defined while configuring SAML
    Issuer Namehttps://idp.<yourdomain>.com/saml/login
    Service Provider IDhttps://idp.<yourdomain>.com/saml/login
    Name ID FormatEmailAddress
    Attribute 1email = AAA.USER.ATTRIBUTE("email")

    Cloudflare Access currently sends the IdP address in place of the Service Provider ID for the AuthN request.

    Citrix AD Configure Authentication SAML IDP Profile

  2. Create an Authentication Policy that refers to the Profile just created, and bind it to the authentication vServer mentioned above.

    Citrix AD Configure Authentication SAML IDP Policy

    To configure all of the above using just the CLI, run the following:

    add authentication samlIdPProfile samlProf_CloudflareAccess \    -samlIdPCertName SAML_Signing \    -assertionConsumerServiceURL "https://<your-team-name>.cloudflareaccess.com/cdn-cgi/access/callback" \    -samlIssuerName "https://idp.yourdomain.com/saml/login" \    -rejectUnsignedRequests OFF \    -NameIDFormat emailAddress \    -Attribute1 email \    -Attribute1Expr "AAA.USER.ATTRIBUTE(\"email\")" \    -Attribute1Format Basic \    -serviceProviderID "https://idp.yourdomain.com/saml/login"
    add authentication samlIdPPolicy samlPol_CloudflareAccess -rule true -action samlProf_CloudflareAccessbind authentication vserver nsidp -policy samlPol_CloudflareAccess
  3. On the Teams dashboard, navigate to Configuration > Authentication.

  4. Click + Add under Login Methods, and select SAML.

  5. Configure the fields as follows:

    FieldDescription
    NameYour chosen name
    Single Sign On URLThe FQDN of the IdP, with the path /saml/login
    IdP Entity ID/Issuer URLAs above
    Signing CertificateThe public certificate from the NetScaler
    Email attribute nameThis is listed under Optional configurations
  6. Click Save.

To test that your connection is working, navigate to Authentication > Login methods and click Test next to the login method you want to test.