Use of Azure Active Directory with Citrix NetScaler

by Marius Sandbu, CTP, Norway CUGC

Many are moving towards the use of Office365 because of the many possibilities it gives in terms of collaboration or moving towards use of Azure Active Directory because it gives a lot of benefits in terms of integration with other SaaS providers, where Azure Active Directory acts as the identity catalog and gives SSO directly.

Since many enterprises already have an existing on-premises Active Directory and want to incorporate it with Azure Active Directory, it gives us a lot of ways to handle Single Sign On and federated access. The typical setup involves having an Azure AD connect server which is used for user synchronization and that we have an Active Directory Federation Services setup. The user synchronization in most cases only synchronizes the user objects themselves and not the user password since we in most cases want to control and audit this from the local Active Directory environment.

So from an end-user perspective, when a user tries to logon to their Office365 account, the Azure Active directory tenant will see that the user-object which is trying to logon is a federated user which is synchronized from local Active Directory database, and will therefore redirect the authentication attempt to the Web application proxy which is configured with Active Directory Federation Service. Then a user tries to authenticate directly to the Active Directory locally, then the ADFS server will insert a SAML assertion back to the SAML Service Provider in Azure Active Directory and will then authenticate the user to Office365. So this is the regular deployment mode from Microsoft when setting up a hybrid identity solution with Azure Active Directory.

So where does Citrix NetScaler fit in here?
As an ADC it can be used for multiple scenarios.

  • Load balancing of the Proxy servers to provide high-availability
  • Load balancing of the Federation Services server to provide high-availability

For both of these scenarios we only need a regular NetScaler license to set up and configure this type of deployment, and just uses plain load balancing features, we still need the Active Directory federation servers.

We can also use NetScaler to replace the Web Application proxy, since in most cases NetScaler is already placed in the DMZ zone for external access. This uses the AAA-TM feature on NetScaler so it handles the authentication attempts. From an end-user when they try to authenticate to Office365 they will be redirected to an AAA-TM virtual server authentication page where they will be asked to authenticate to the local Active Directory.

There are also some other scenarios where we can leverage Citrix NetScaler, for instance if we want to have Azure Active Directory as the main point of authentication, so we want that to be the SAML iDP. One of these scenarios can be to use the NetScaler as a SAML Service Provider. So for instance if a user wants to connect to their Citrix environment, they go to the NetScaler Gateway URL, because of the SAML SP Policy they will be redirected to the authentication point located in Azure Active Directory, from there they need to logon and the SAML token will be sent back and forwarded to StoreFront and allow for authentication.

Another option is to use NetScaler to replace the Active Directory Federation Services entirely and act as a SAML iDP. Here we have an AAA virtual server which will act as the SAML iDP and process requests from Office365 and other Azure AD enabled applications and will send SAML assertion tokens to Azure AD.

In this case the NetScaler will directly communicate with Active Directory to do LDAP authentication to validate the authentication attempts.

Hopefully you have now seen some of the possbilities that the NetScaler has in terms of features, besides doing the AAA features we can also combine different scenarios. For instance doing load balancing of Active Directory Federation Services for internal authentication and still being able to serve as an Application Proxy replacement.

We can also use other feature to optimize and secure communication such as Content Switching to allow multple Active directory federation endpoints and also have other web services running on the same virtual IP externally.

Now during the course of the next couple of weeks we will dig deeper into each of these scenarios and more best practices about using NetScaler as an addition to ADFS or as a replacement.

Leave a Reply