Citrix Blogs

NetScaler AAA-TM integration with SiteMinder protected web resources

Web Access Management solutions have been used to control access to web resources since the early 1990s and CA SiteMinder is one of the earliest and most mature web access solutions available in the market. Security being one of the leading concerns in the market, identity management along with policy based authorization control has come to the limelight in the recent years. Citrix NetScaler has an integrated AAA-TM feature to provide granular policy controlled authentication, authorization and audit of access to web resources. The integration of CA SiteMinder and Citrix NetScaler provides a comprehensive policy controlled secure solution to provide remote access to web resources. The solutions combine user access management, authentication, authorization, auditing, resource management and reverse proxy to provide a secure web application access for internal and external users.

CA SiteMinder and Citrix NetScaler share a common vision around identity and access management and have partnered to provide an integrated solution hosted on the NetScaler SDX platform. See the announcement: Citrix and CA Technologies Sign Agreement to Integrate NetScaler and SiteMinder

The method outlined below describes one way to integrate the two solutions using the AAA-TM and HTTP Callout features on the NetScaler.

User experience without NetScaler
1. User types in ws.company.com on browser
2. If the default page is not protected by siteminder then it goes through
3. If user goes to a protected resource ws.company.com/sm/test and if the page is protected, Siteminder throws in a login page
4. Once the user enters the login credentials, they are passed to Siteminder which generates a unique SMSESSION cookie for each user and that’s how it
maintains an authenticated session for the application.
5. Once authenticated successfully, user gets access to the protected web page
Requirement:
NetScaler to SSO to the siteminder page on the protected resources

High Level Method:
1. Create a AAA vServer on NS
2. Create a CS vServer for the application and create CS policies for the protected pages to throw AAA only for the protected resources
3. Create HTTP Callout on NS to generate the SMSESSION cookie and pass it along to the application
4. Create the responder policy to redirect the request to the application along with the cookie
User experience with NetScaler:
1. User types in ws.company.com, no AAA page appears as default CS policy directing user request to LB vServer with no AAA authentication
2. User types in ws.company.com/sm/test, a AAA page is thrown up by the NetScaler
3. User enters login credentials
4. A responder policy checks for the “absence” of FORMCRED cookie that is issued by the Siteminder agent on the web service when a successfully
authenticated request is received by the web service.
5. If the FORMCRED cookie does not exist, then the NS redirects to the protected web page,
then issues an HTTP Callout into the Siteminder page with the user credentials,
pulls out the SMSESSION cookie when successfully authenticated and passes it along to the protected web page.

CLI Commands:

add policy httpCallout POST_SM
set policy httpCallout POST_SM -vServer vip_siteminder_http -returnType TEXT -httpMethod POST -hostExpr “\”service.company.com\”” -urlStemExpr “\”/websign/form/login.fcc\”” -headers Request(“CalloutRequest”) -parameters USER(http.REQ.USER.NAME) PASSWORD(http.REQ.USER.PASSWD) SMAUTHREASON(“0”) SMAGENTNAME(“aeIm5G5km3Jr2d5UN0HiZaEa7j1qfYkWJNne0FSPtilb1c8Ja76yk7Qi/b2fbwUc”) POSTPRESERVATIONDATA(“”) TARGET(“http://ws.company.com/sm/test/”) -resultExpr http.RES.SET_COOKIE
add responder action redirect_to_ws respondwith q{“HTTP/1.1 302 Object Moved\r\n”+”Location:http://ws.company.com/sm/test”+”\r\n”+”Set-Cookie:”+ SYS.HTTP_CALLOUT(POST_SM)+”\r\n\r\n”} -bypassSafetyCheck YES
add responder policy aaa_sm_responder “HTTP.REQ.HOSTNAME.CONTAINS(\”ws.company.com\”)&& HTTP.REQ.COOKIE.SET_TEXT_MODE(IGNORECASE).CONTAINS(\”FORMCRED\”).NOT” redirect_to_ws

Notes:

The parameters specified to create the HTTP Callout will be unique to each web resource protected by SiteMinder and can be found by viewing the login.fcc page using a text editor.

Exit mobile version