netscaler.adc.authenticationsamlaction module – Configuration for AAA Saml action resource.

Note

This module is part of the netscaler.adc collection (version 2.6.0).

It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install netscaler.adc.

To use it in a playbook, specify: netscaler.adc.authenticationsamlaction.

New in netscaler.adc 2.0.0

Synopsis

  • Configuration for AAA Saml action resource.

Parameters

Parameter

Comments

api_path

string

Base NITRO API path.

Define only in case of an ADM service proxy call

Default: "nitro/v1/config"

artifactresolutionserviceurl

any

URL of the Artifact Resolution Service on IdP to which Citrix ADC will post artifact to get actual SAML token.

attribute1

any

Name of the attribute in SAML Assertion whose value needs to be extracted and stored as attribute1. Maximum length of the extracted attribute is 239 bytes.

attribute10

any

Name of the attribute in SAML Assertion whose value needs to be extracted and stored as attribute10. Maximum length of the extracted attribute is 239 bytes.

attribute11

any

Name of the attribute in SAML Assertion whose value needs to be extracted and stored as attribute11. Maximum length of the extracted attribute is 239 bytes.

attribute12

any

Name of the attribute in SAML Assertion whose value needs to be extracted and stored as attribute12. Maximum length of the extracted attribute is 239 bytes.

attribute13

any

Name of the attribute in SAML Assertion whose value needs to be extracted and stored as attribute13. Maximum length of the extracted attribute is 239 bytes.

attribute14

any

Name of the attribute in SAML Assertion whose value needs to be extracted and stored as attribute14. Maximum length of the extracted attribute is 239 bytes.

attribute15

any

Name of the attribute in SAML Assertion whose value needs to be extracted and stored as attribute15. Maximum length of the extracted attribute is 239 bytes.

attribute16

any

Name of the attribute in SAML Assertion whose value needs to be extracted and stored as attribute16. Maximum length of the extracted attribute is 239 bytes.

attribute2

any

Name of the attribute in SAML Assertion whose value needs to be extracted and stored as attribute2. Maximum length of the extracted attribute is 239 bytes.

attribute3

any

Name of the attribute in SAML Assertion whose value needs to be extracted and stored as attribute3. Maximum length of the extracted attribute is 239 bytes.

attribute4

any

Name of the attribute in SAML Assertion whose value needs to be extracted and stored as attribute4. Maximum length of the extracted attribute is 239 bytes.

attribute5

any

Name of the attribute in SAML Assertion whose value needs to be extracted and stored as attribute5. Maximum length of the extracted attribute is 239 bytes.

attribute6

any

Name of the attribute in SAML Assertion whose value needs to be extracted and stored as attribute6. Maximum length of the extracted attribute is 239 bytes.

attribute7

any

Name of the attribute in SAML Assertion whose value needs to be extracted and stored as attribute7. Maximum length of the extracted attribute is 239 bytes.

attribute8

any

Name of the attribute in SAML Assertion whose value needs to be extracted and stored as attribute8. Maximum length of the extracted attribute is 239 bytes.

attribute9

any

Name of the attribute in SAML Assertion whose value needs to be extracted and stored as attribute9. Maximum length of the extracted attribute is 239 bytes.

attributeconsumingserviceindex

any

Index/ID of the attribute specification at Identity Provider (IdP). IdP will locate attributes requested by SP using this index and send those attributes in Assertion

attributes

any

List of attribute names separated by ‘,’ which needs to be extracted.

Note that preceeding and trailing spaces will be removed.

Attribute name can be 127 bytes and total length of this string should not cross 2047 bytes.

These attributes have multi-value support separated by ‘,’ and stored as key-value pair in AAA session

audience

any

Audience for which assertion sent by IdP is applicable. This is typically entity name or url that represents ServiceProvider

authnctxclassref

any

This element specifies the authentication class types that are requested from IdP (IdentityProvider).

InternetProtocol: This is applicable when a principal is authenticated through the use of a provided IP address.

InternetProtocolPassword: This is applicable when a principal is authenticated through the use of a provided IP address, in addition to a username/password.

Kerberos: This is applicable when the principal has authenticated using a password to a local authentication authority, in order to acquire a Kerberos ticket.

MobileOneFactorUnregistered: This indicates authentication of the mobile device without requiring explicit end-user interaction.

MobileTwoFactorUnregistered: This indicates two-factor based authentication during mobile customer registration process, such as secure device and user PIN.

MobileOneFactorContract: Reflects mobile contract customer registration procedures and a single factor authentication.

MobileTwoFactorContract: Reflects mobile contract customer registration procedures and a two-factor based authentication.

Password: This class is applicable when a principal authenticates using password over unprotected http session.

PasswordProtectedTransport: This class is applicable when a principal authenticates to an authentication authority through the presentation of a password over a protected session.

PreviousSession: This class is applicable when a principal had authenticated to an authentication authority at some point in the past using any authentication context.

X509: This indicates that the principal authenticated by means of a digital signature where the key was validated as part of an X.509 Public Key Infrastructure.

PGP: This indicates that the principal authenticated by means of a digital signature where the key was validated as part of a PGP Public Key Infrastructure.

SPKI: This indicates that the principal authenticated by means of a digital signature where the key was validated via an SPKI Infrastructure.

XMLDSig: This indicates that the principal authenticated by means of a digital signature according to the processing rules specified in the XML Digital Signature specification.

Smartcard: This indicates that the principal has authenticated using smartcard.

SmartcardPKI: This class is applicable when a principal authenticates to an authentication authority through a two-factor authentication mechanism using a smartcard with enclosed private key and a PIN.

SoftwarePKI: This class is applicable when a principal uses an X.509 certificate stored in software to authenticate to the authentication authority.

Telephony: This class is used to indicate that the principal authenticated via the provision of a fixed-line telephone number, transported via a telephony protocol such as ADSL.

NomadTelephony: Indicates that the principal is “roaming” and authenticates via the means of the line number, a user suffix, and a password element.

PersonalTelephony: This class is used to indicate that the principal authenticated via the provision of a fixed-line telephone.

AuthenticatedTelephony: Indicates that the principal authenticated via the means of the line number, a user suffix, and a password element.

SecureRemotePassword: This class is applicable when the authentication was performed by means of Secure Remote Password.

TLSClient: This class indicates that the principal authenticated by means of a client certificate, secured with the SSL/TLS transport.

TimeSyncToken: This is applicable when a principal authenticates through a time synchronization token.

Unspecified: This indicates that the authentication was performed by unspecified means.

Windows: This indicates that Windows integrated authentication is utilized for authentication.

Choices:

  • "InternetProtocol"

  • "InternetProtocolPassword"

  • "Kerberos"

  • "MobileOneFactorUnregistered"

  • "MobileTwoFactorUnregistered"

  • "MobileOneFactorContract"

  • "MobileTwoFactorContract"

  • "Password"

  • "PasswordProtectedTransport"

  • "PreviousSession"

  • "X509"

  • "PGP"

  • "SPKI"

  • "XMLDSig"

  • "Smartcard"

  • "SmartcardPKI"

  • "SoftwarePKI"

  • "Telephony"

  • "NomadTelephony"

  • "PersonalTelephony"

  • "AuthenticatedTelephony"

  • "SecureRemotePassword"

  • "TLSClient"

  • "TimeSyncToken"

  • "Unspecified"

  • "Windows"

customauthnctxclassref

any

This element specifies the custom authentication class reference to be sent as a part of the Authentication Request that is sent by the SP to SAML IDP. The input string must be the body of the authentication class being requested.

Input format: Alphanumeric string or URL specifying the body of the Request.If more than one string has to be provided, then the same can be done by specifying the classes as a string of comma separated values.

Example input: set authentication samlaction samlact1 -customAuthnCtxClassRef http://www.class1.com/LoA1,http://www.class2.com/LoA2

defaultauthenticationgroup

any

This is the default group that is chosen when the authentication succeeds in addition to extracted groups.

digestmethod

any

Algorithm to be used to compute/verify digest for SAML transactions

Choices:

  • "SHA1"

  • "SHA256"

enforceusername

any

Option to choose whether the username that is extracted from SAML assertion can be edited in login page while doing second factor

Choices:

  • "ON"

  • "OFF"

forceauthn

any

Option that forces authentication at the Identity Provider (IdP) that receives Citrix ADC’s request

Choices:

  • "ON"

  • "OFF"

groupnamefield

any

Name of the tag in assertion that contains user groups.

logoutbinding

any

This element specifies the transport mechanism of saml logout messages.

Choices:

  • "REDIRECT"

  • "POST"

logouturl

any

SingleLogout URL on IdP to which logoutRequest will be sent on Citrix ADC session cleanup.

managed_netscaler_instance_id

string

added in netscaler.adc 2.6.0

The ID of the managed NetScaler instance to which NetScaler Console

has to configure as a proxy server.

Define only in case of an ADM service proxy call

managed_netscaler_instance_ip

string

added in netscaler.adc 2.6.0

The IP of the managed NetScaler instance to which NetScaler Console

has to configure as a proxy server.

Define only in case of an ADM service proxy call

managed_netscaler_instance_name

string

added in netscaler.adc 2.6.0

The name of the managed NetScaler instance to which NetScaler Console

has to configure as a proxy server.

Define only in case of an ADM service proxy call

managed_netscaler_instance_password

string

added in netscaler.adc 2.6.0

The password of the managed NetScaler instance.

Define only in case of an ADM service proxy call

In Settings > Administration > System Configurations > Basic Settings,

if you select Prompt Credentials for Instance Login,

ensure to configure username and password of a managed instance.

managed_netscaler_instance_username

string

added in netscaler.adc 2.6.0

The username of the managed NetScaler instance.

Define only in case of an ADM service proxy call

In Settings > Administration > System Configurations > Basic Settings,

if you select Prompt Credentials for Instance Login,

ensure to configure username and password of a managed instance.

metadatarefreshinterval

any

Interval in minutes for fetching metadata from specified metadata URL

metadataurl

any

This URL is used for obtaining saml metadata. Note that it fills samlIdPCertName and samlredirectUrl fields so those fields should not be updated when metadataUrl present

name

any

Name for the SAML server profile (action).

Must begin with a letter, number, or the underscore character (_), and must contain only letters, numbers, and the hyphen (-), period (.) pound (#), space ( ), at (@), equals (=), colon (:), and underscore characters. Cannot be changed after SAML profile is created.

The following requirement applies only to the Citrix ADC CLI:

If the name includes one or more spaces, enclose the name in double or single quotation marks (for example, “my authentication action” or ‘my authentication action’).

netscaler_console_as_proxy_server

boolean

added in netscaler.adc 2.6.0

The IP address of the NetScaler ADC appliance acting as a proxy server.

Define only in case of an ADM service proxy call

Choices:

  • false ← (default)

  • true

nitro_auth_token

string

The authentication token provided by a login operation.

nitro_pass

string

The password with which to authenticate to the NetScaler ADC node.

nitro_protocol

string

Which protocol to use when accessing the nitro API objects.

Choices:

  • "http"

  • "https" ← (default)

nitro_user

string

The username with which to authenticate to the NetScaler ADC node.

nsip

string / required

The ip address of the NetScaler ADC appliance where the nitro API calls will be made.

The port can be specified with the colon (:). E.g. 192.168.1.1:555.

relaystaterule

any

Boolean expression that will be evaluated to validate the SAML Response.

Examples:

set authentication samlaction <actionname> -relaystateRule ‘AAA.LOGIN.RELAYSTATE.EQ(”https://fqdn.com/”)’

set authentication samlaction <actionname> -relaystateRule ‘AAA.LOGIN.RELAYSTATE.CONTAINS(”https://fqdn.com/”)’

set authentication samlaction <actionname> -relaystateRule ‘AAA.LOGIN.RELAYSTATE.CONTAINS_ANY(“patset_name”)’

set authentication samlAction samlsp -relaystateRule ‘AAA.LOGIN.RELAYSTATE.REGEX_MATCH(re#http://<regex>.com/#)’.

requestedauthncontext

any

This element specifies the authentication context requirements of authentication statements returned in the response.

Choices:

  • "exact"

  • "minimum"

  • "maximum"

  • "better"

samlacsindex

any

Index/ID of the metadata entry corresponding to this configuration.

samlbinding

any

This element specifies the transport mechanism of saml messages.

Choices:

  • "REDIRECT"

  • "POST"

  • "ARTIFACT"

samlidpcertname

string

Name of the SSL certificate used to verify responses from SAML Identity Provider (IdP). Note that if metadateURL is present then this filed should be empty.

samlissuername

any

The name to be used in requests sent from Citrix ADC to IdP to uniquely identify Citrix ADC.

samlredirecturl

any

URL to which users are redirected for authentication. Note that if metadateURL is present then this filed should be empty

samlrejectunsignedassertion

any

Reject unsigned SAML assertions. ON option results in rejection of Assertion that is received without signature. STRICT option ensures that both Response and Assertion are signed. OFF allows unsigned Assertions.

Choices:

  • "ON"

  • "OFF"

  • "STRICT"

samlsigningcertname

any

Name of the SSL certificate to sign requests from ServiceProvider (SP) to Identity Provider (IdP).

samltwofactor

any

Option to enable second factor after SAML

Choices:

  • "ON"

  • "OFF"

samluserfield

any

SAML user ID, as given in the SAML assertion.

save_config

boolean

If true the module will save the configuration on the NetScaler ADC node if it makes any changes.

The module will not save the configuration on the NetScaler ADC node if it made no changes.

Choices:

  • false ← (default)

  • true

sendthumbprint

any

Option to send thumbprint instead of x509 certificate in SAML request

Choices:

  • "ON"

  • "OFF"

signaturealg

any

Algorithm to be used to sign/verify SAML transactions

Choices:

  • "RSA-SHA1"

  • "RSA-SHA256"

skewtime

any

This option specifies the allowed clock skew in number of minutes that Citrix ADC ServiceProvider allows on an incoming assertion. For example, if skewTime is 10, then assertion would be valid from (current time - 10) min to (current time + 10) min, ie 20min in all.

state

string

The state of the resource being configured by the module on the NetScaler ADC node.

When present, the resource will be added/updated configured according to the module’s parameters.

When absent, the resource will be deleted from the NetScaler ADC node.

When unset, the resource will be unset on the NetScaler ADC node.

Choices:

  • "present" ← (default)

  • "absent"

  • "unset"

statechecks

any

Boolean expression that will be evaluated to validate HTTP requests on SAML endpoints.

Examples:

set authentication samlaction <actionname> -stateChecks ‘HTTP.REQ.HOSTNAME.EQ(”https://fqdn.com/”)’

storesamlresponse

any

Option to store entire SAML Response through the life of user session.

Choices:

  • "ON"

  • "OFF"

validate_certs

boolean

If false, SSL certificates will not be validated. This should only be used on personally controlled sites using self-signed certificates.

Choices:

  • false

  • true ← (default)

Notes

Note

Examples

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key

Description

changed

boolean

Indicates if any change is made by the module

Returned: always

Sample: true

diff

dictionary

Dictionary of before and after changes

Returned: always

Sample: {"after": {"key2": "pqr"}, "before": {"key1": "xyz"}, "prepared": "changes done"}

diff_list

list / elements=string

List of differences between the actual configured object and the configuration specified in the module

Returned: when changed

Sample: ["Attribute `key1` differs. Desired: (<class 'str'>) XYZ. Existing: (<class 'str'>) PQR"]

failed

boolean

Indicates if the module failed or not

Returned: always

Sample: false

loglines

list / elements=string

list of logged messages by the module

Returned: always

Sample: ["message 1", "message 2"]

Authors

  • Sumanth Lingappa (@sumanth-lingappa)