Step by Step – Citrix Netscaler SSO with PhenixID Authentication Services


This document will guide you through the steps to provide Single-Sign-On to Citrix Netscaler using SAML with PhenixID Authentication Services as SAML IdP. This is useful in these scenarios:

  • Authentication for external users
  • Provide authentication methods not available over Radius (for example certificates, username and PhenixID OneTouch)
  • Citrix Federated Authentication Services. In this scenario, PhenixID Authentication Services works as the SAML IdP.

System Requirements

  • PhenixID Authentication Services 2.0 or higher
  • Citrix Netscaler 11.0 or higher


1. Set up PhenixID Authentication Services as SAML IdP

  1. Setup PhenixID Authentication Services as a SAML IdP using one of the Federation scenarios described here. (If the desired authentication method is not provided by a scenario, use the documentation for the SAML authenticator here).
  2. Download the IdP signing certificate to a file as described here.
  3. Open the IdP Metadata and get the value of the SingleSignOnService-Location.

4. If SAML SLO is configured (, get the SLO Post URL.

2. Configure Netscaler

    1. If there is not currently a Gateway VIP configured, consult this link-
    2. Create a SAML authentication policy.
    3. Bind the SAML policy as the only primary policy to the gateway VIP.Click Continue
  1. Open Traffic Management -> SSL -> Certificates -> CA Certificates.
  2. Install the certificate downloaded in step 1.2
  3. Open Netscaler Gateway -> Policies -> Authentication -> SAML
  4. Select Servers, then Add
  5. Set these properties:
    1. Name = <Friendly name>
    2. IDP Certificate name = <Select the one installed in step 2.3>
    3. Redirect URL = <Value from step 1.3>
    4. Single Logout URL = <Value from step 1.4>
    5. User Field = Name ID
    6. Signing Certificate Name = <Select the certificate (keypair) you would like to use as the signing certificate for the Netscaler SAML SP>
    7. Issuer Name = <Enter the name you would like to use as the entityID for the Netscaler SAML SP. For example: https://mynetscaler/samlsp>
    8. SAML Binding = POST
    9. Click More
    10. Signature algorithm = RSA-SHA256
    11. Create
  6. Open Netscaler Gateway -> Policies -> Authentication -> SAML
  7. Select Policies, then Add
  8. Set these properties:
    1. Name = <Friendly name>
    2. Server = <Select server created in 2.6>
    3. Expression = ns_true
      (<ns_true enables this policy to always be active when bound to a VIP. A more restrictive expression can be created to allow for more control over when this SAML policy is used and should be based on the customers need.>)
  9. Click OK to Create.
  10. Open Netscaler Gateway -> Virtual Servers
  11. Edit the virtual server you would like to bind SAML to
  12. Scroll down to Authentication
  13. Unbind any existing policies
  14. In the Authentication section, click the + sign
  15. Set these properties
    1. Choose policy = SAML
    2. Choose type = Primary
  16. Click Continue
  17. In the Policy Binding section, select the policy created in previous step
  18. Set the priority to 100
  19. Click Bind
  20. Click Done

3. Add Netscaler SAML SP Metadata to PhenixID Authentication Services

  1. Create Netscaler SAML SP Metadata XML file. Use the template data below and replace entityID and AssertionConsumerService URL. Place the text in a file using a text editor and save it as a xml file.
    <?xml version="1.0" encoding="UTF-8"?>
    <EntityDescriptor entityID="<replace_this_with_value_set_in_step_2.6.7>" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
    <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <AssertionConsumerService index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
    Location="<replace_this_with: https://<citrix_netscaler_virtual_server_fqdn>/cgi/samlauth>>"></AssertionConsumerService>
  2. Upload the metadata file using this Federation Scenario.


  1. Open a web browser
  2. Browse to Netscaler virtual server host
  3. You should be redirected to the Idp (PhenixID Authentication Services)
  4. Authenticate
  5. You should be redirected back to Netscaler
  6. You are now logged in to Netscaler.


If you are not sure whether you are logged in or not, pls view the Netscaler logs:

  1. Open Configuration -> Authentication -> Logs
  2. Under File to the left, select ns.log
  3. Wait for the system log messages to appear (this might take a while..)
  4. Scroll down to find the messages that correlates to the authentication attempt.
  5. Check the error message.
  6. After a successful authentication, Netscaler will produce a message with this information:

Information provided in this document is for your information only. PhenixID makes no explicit or implied claims to the validity of this information. Any trademarks referenced in this document are the property of their respective owners.

The origin of this information may be internal or external to PhenixID. PhenixID makes all reasonable efforts to verify this information.

PhenixID -