netscaler.adc.authenticationsamlidpprofile module – Configuration for AAA Saml IdentityProvider (IdP) profile resource.

Note

This module is part of the netscaler.adc collection (version 2.6.0).

It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install netscaler.adc.

To use it in a playbook, specify: netscaler.adc.authenticationsamlidpprofile.

New in netscaler.adc 2.0.0

Synopsis

  • Configuration for AAA Saml IdentityProvider (IdP) profile resource.

Parameters

Parameter

Comments

acsurlrule

any

Expression that will be evaluated to allow Assertion Consumer Service URI coming in the SAML Request

api_path

string

Base NITRO API path.

Define only in case of an ADM service proxy call

Default: "nitro/v1/config"

assertionconsumerserviceurl

any

URL to which the assertion is to be sent.

attribute1

any

Name of attribute1 that needs to be sent in SAML Assertion

attribute10

any

Name of attribute10 that needs to be sent in SAML Assertion

attribute10expr

string

Expression that will be evaluated to obtain attribute10’s value to be sent in Assertion

attribute10format

any

Format of Attribute10 to be sent in Assertion.

Choices:

  • "URI"

  • "Basic"

attribute10friendlyname

any

User-Friendly Name of attribute10 that needs to be sent in SAML Assertion

attribute11

any

Name of attribute11 that needs to be sent in SAML Assertion

attribute11expr

string

Expression that will be evaluated to obtain attribute11’s value to be sent in Assertion

attribute11format

any

Format of Attribute11 to be sent in Assertion.

Choices:

  • "URI"

  • "Basic"

attribute11friendlyname

any

User-Friendly Name of attribute11 that needs to be sent in SAML Assertion

attribute12

any

Name of attribute12 that needs to be sent in SAML Assertion

attribute12expr

string

Expression that will be evaluated to obtain attribute12’s value to be sent in Assertion

attribute12format

any

Format of Attribute12 to be sent in Assertion.

Choices:

  • "URI"

  • "Basic"

attribute12friendlyname

any

User-Friendly Name of attribute12 that needs to be sent in SAML Assertion

attribute13

any

Name of attribute13 that needs to be sent in SAML Assertion

attribute13expr

string

Expression that will be evaluated to obtain attribute13’s value to be sent in Assertion

attribute13format

any

Format of Attribute13 to be sent in Assertion.

Choices:

  • "URI"

  • "Basic"

attribute13friendlyname

any

User-Friendly Name of attribute13 that needs to be sent in SAML Assertion

attribute14

any

Name of attribute14 that needs to be sent in SAML Assertion

attribute14expr

string

Expression that will be evaluated to obtain attribute14’s value to be sent in Assertion

attribute14format

any

Format of Attribute14 to be sent in Assertion.

Choices:

  • "URI"

  • "Basic"

attribute14friendlyname

any

User-Friendly Name of attribute14 that needs to be sent in SAML Assertion

attribute15

any

Name of attribute15 that needs to be sent in SAML Assertion

attribute15expr

string

Expression that will be evaluated to obtain attribute15’s value to be sent in Assertion

attribute15format

any

Format of Attribute15 to be sent in Assertion.

Choices:

  • "URI"

  • "Basic"

attribute15friendlyname

any

User-Friendly Name of attribute15 that needs to be sent in SAML Assertion

attribute16

any

Name of attribute16 that needs to be sent in SAML Assertion

attribute16expr

string

Expression that will be evaluated to obtain attribute16’s value to be sent in Assertion

attribute16format

any

Format of Attribute16 to be sent in Assertion.

Choices:

  • "URI"

  • "Basic"

attribute16friendlyname

any

User-Friendly Name of attribute16 that needs to be sent in SAML Assertion

attribute1expr

string

Expression that will be evaluated to obtain attribute1’s value to be sent in Assertion

attribute1format

any

Format of Attribute1 to be sent in Assertion.

Choices:

  • "URI"

  • "Basic"

attribute1friendlyname

any

User-Friendly Name of attribute1 that needs to be sent in SAML Assertion

attribute2

any

Name of attribute2 that needs to be sent in SAML Assertion

attribute2expr

string

Expression that will be evaluated to obtain attribute2’s value to be sent in Assertion

attribute2format

any

Format of Attribute2 to be sent in Assertion.

Choices:

  • "URI"

  • "Basic"

attribute2friendlyname

any

User-Friendly Name of attribute2 that needs to be sent in SAML Assertion

attribute3

any

Name of attribute3 that needs to be sent in SAML Assertion

attribute3expr

string

Expression that will be evaluated to obtain attribute3’s value to be sent in Assertion

attribute3format

any

Format of Attribute3 to be sent in Assertion.

Choices:

  • "URI"

  • "Basic"

attribute3friendlyname

any

User-Friendly Name of attribute3 that needs to be sent in SAML Assertion

attribute4

any

Name of attribute4 that needs to be sent in SAML Assertion

attribute4expr

string

Expression that will be evaluated to obtain attribute4’s value to be sent in Assertion

attribute4format

any

Format of Attribute4 to be sent in Assertion.

Choices:

  • "URI"

  • "Basic"

attribute4friendlyname

any

User-Friendly Name of attribute4 that needs to be sent in SAML Assertion

attribute5

any

Name of attribute5 that needs to be sent in SAML Assertion

attribute5expr

string

Expression that will be evaluated to obtain attribute5’s value to be sent in Assertion

attribute5format

any

Format of Attribute5 to be sent in Assertion.

Choices:

  • "URI"

  • "Basic"

attribute5friendlyname

any

User-Friendly Name of attribute5 that needs to be sent in SAML Assertion

attribute6

any

Name of attribute6 that needs to be sent in SAML Assertion

attribute6expr

string

Expression that will be evaluated to obtain attribute6’s value to be sent in Assertion

attribute6format

any

Format of Attribute6 to be sent in Assertion.

Choices:

  • "URI"

  • "Basic"

attribute6friendlyname

any

User-Friendly Name of attribute6 that needs to be sent in SAML Assertion

attribute7

any

Name of attribute7 that needs to be sent in SAML Assertion

attribute7expr

string

Expression that will be evaluated to obtain attribute7’s value to be sent in Assertion

attribute7format

any

Format of Attribute7 to be sent in Assertion.

Choices:

  • "URI"

  • "Basic"

attribute7friendlyname

any

User-Friendly Name of attribute7 that needs to be sent in SAML Assertion

attribute8

any

Name of attribute8 that needs to be sent in SAML Assertion

attribute8expr

string

Expression that will be evaluated to obtain attribute8’s value to be sent in Assertion

attribute8format

any

Format of Attribute8 to be sent in Assertion.

Choices:

  • "URI"

  • "Basic"

attribute8friendlyname

any

User-Friendly Name of attribute8 that needs to be sent in SAML Assertion

attribute9

any

Name of attribute9 that needs to be sent in SAML Assertion

attribute9expr

string

Expression that will be evaluated to obtain attribute9’s value to be sent in Assertion

attribute9format

any

Format of Attribute9 to be sent in Assertion.

Choices:

  • "URI"

  • "Basic"

attribute9friendlyname

any

User-Friendly Name of attribute9 that needs to be sent in SAML Assertion

audience

any

Audience for which assertion sent by IdP is applicable. This is typically entity name or url that represents ServiceProvider

defaultauthenticationgroup

any

This group will be part of AAA session’s internal group list. This will be helpful to admin in Nfactor flow to decide right AAA configuration for Relaying Party. In authentication policy AAA.USER.IS_MEMBER_OF(”<default_auth_group>”) is way to use this feature.

digestmethod

any

Algorithm to be used to compute/verify digest for SAML transactions

Choices:

  • "SHA1"

  • "SHA256"

encryptassertion

any

Option to encrypt assertion when Citrix ADC IDP sends one.

Choices:

  • "ON"

  • "OFF"

encryptionalgorithm

any

Algorithm to be used to encrypt SAML assertion

Choices:

  • "DES3"

  • "AES128"

  • "AES192"

  • "AES256"

keytransportalg

any

Key transport algorithm to be used in encryption of SAML assertion

Choices:

  • "RSA-V1_5"

  • "RSA_OAEP"

logoutbinding

any

This element specifies the transport mechanism of saml logout messages.

Choices:

  • "REDIRECT"

  • "POST"

managed_netscaler_instance_id

string

added in netscaler.adc 2.6.0

The ID of the managed NetScaler instance to which NetScaler Console

has to configure as a proxy server.

Define only in case of an ADM service proxy call

managed_netscaler_instance_ip

string

added in netscaler.adc 2.6.0

The IP of the managed NetScaler instance to which NetScaler Console

has to configure as a proxy server.

Define only in case of an ADM service proxy call

managed_netscaler_instance_name

string

added in netscaler.adc 2.6.0

The name of the managed NetScaler instance to which NetScaler Console

has to configure as a proxy server.

Define only in case of an ADM service proxy call

managed_netscaler_instance_password

string

added in netscaler.adc 2.6.0

The password of the managed NetScaler instance.

Define only in case of an ADM service proxy call

In Settings > Administration > System Configurations > Basic Settings,

if you select Prompt Credentials for Instance Login,

ensure to configure username and password of a managed instance.

managed_netscaler_instance_username

string

added in netscaler.adc 2.6.0

The username of the managed NetScaler instance.

Define only in case of an ADM service proxy call

In Settings > Administration > System Configurations > Basic Settings,

if you select Prompt Credentials for Instance Login,

ensure to configure username and password of a managed instance.

metadatarefreshinterval

any

Interval in minute for fetching metadata from specified metadata URL

metadataurl

any

This URL is used for obtaining samlidp metadata

name

any

Name for the new saml single sign-on profile. Must begin with an ASCII alphanumeric or underscore (_) character, and must contain only ASCII alphanumeric, underscore, hash (#), period (.), space, colon (:), at (@), equals (=), and hyphen (-) characters. Cannot be changed after an action is created.

The following requirement applies only to the Citrix ADC CLI:

If the name includes one or more spaces, enclose the name in double or single quotation marks (for example, “my action” or ‘my action’).

nameidexpr

any

Expression that will be evaluated to obtain NameIdentifier to be sent in assertion

nameidformat

any

Format of Name Identifier sent in Assertion.

Choices:

  • "Unspecified"

  • "emailAddress"

  • "X509SubjectName"

  • "WindowsDomainQualifiedName"

  • "kerberos"

  • "entity"

  • "persistent"

  • "transient"

netscaler_console_as_proxy_server

boolean

added in netscaler.adc 2.6.0

The IP address of the NetScaler ADC appliance acting as a proxy server.

Define only in case of an ADM service proxy call

Choices:

  • false ← (default)

  • true

nitro_auth_token

string

The authentication token provided by a login operation.

nitro_pass

string

The password with which to authenticate to the NetScaler ADC node.

nitro_protocol

string

Which protocol to use when accessing the nitro API objects.

Choices:

  • "http"

  • "https" ← (default)

nitro_user

string

The username with which to authenticate to the NetScaler ADC node.

nsip

string / required

The ip address of the NetScaler ADC appliance where the nitro API calls will be made.

The port can be specified with the colon (:). E.g. 192.168.1.1:555.

rejectunsignedrequests

any

Option to Reject unsigned SAML Requests. ON option denies any authentication requests that arrive without signature.

Choices:

  • "ON"

  • "OFF"

samlbinding

any

This element specifies the transport mechanism of saml messages.

Choices:

  • "REDIRECT"

  • "POST"

  • "ARTIFACT"

samlidpcertname

any

Name of the certificate used to sign the SAMLResposne that is sent to Relying Party or Service Provider after successful authentication

samlissuername

any

The name to be used in requests sent from Citrix ADC to IdP to uniquely identify Citrix ADC.

samlsigningcertversion

any

version of the certificate in signature service used to sign the SAMLResposne that is sent to Relying Party or Service Provider after successful authentication

samlspcertname

any

Name of the SSL certificate of SAML Relying Party. This certificate is used to verify signature of the incoming AuthnRequest from a Relying Party or Service Provider

samlspcertversion

any

version of the certificate in signature service used to verify the signature of the incoming AuthnRequest from a Relying Party or Service Provider

save_config

boolean

If true the module will save the configuration on the NetScaler ADC node if it makes any changes.

The module will not save the configuration on the NetScaler ADC node if it made no changes.

Choices:

  • false ← (default)

  • true

sendpassword

any

Option to send password in assertion.

Choices:

  • "ON"

  • "OFF"

serviceproviderid

any

Unique identifier of the Service Provider that sends SAML Request. Citrix ADC will ensure that the Issuer of the SAML Request matches this URI. In case of SP initiated sign-in scenarios, this value must be same as samlIssuerName configured in samlAction.

signassertion

any

Option to sign portions of assertion when Citrix ADC IDP sends one. Based on the user selection, either Assertion or Response or Both or none can be signed

Choices:

  • "NONE"

  • "ASSERTION"

  • "RESPONSE"

  • "BOTH"

signaturealg

any

Algorithm to be used to sign/verify SAML transactions

Choices:

  • "RSA-SHA1"

  • "RSA-SHA256"

signatureservice

any

Name of the service in cloud used to sign the data

skewtime

any

This option specifies the number of minutes on either side of current time that the assertion would be valid. For example, if skewTime is 10, then assertion would be valid from (current time - 10) min to (current time + 10) min, ie 20min in all.

splogouturl

any

Endpoint on the ServiceProvider (SP) to which logout messages are to be sent

state

string

The state of the resource being configured by the module on the NetScaler ADC node.

When present, the resource will be added/updated configured according to the module’s parameters.

When absent, the resource will be deleted from the NetScaler ADC node.

When unset, the resource will be unset on the NetScaler ADC node.

Choices:

  • "present" ← (default)

  • "absent"

  • "unset"

validate_certs

boolean

If false, SSL certificates will not be validated. This should only be used on personally controlled sites using self-signed certificates.

Choices:

  • false

  • true ← (default)

Notes

Note

Examples

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key

Description

changed

boolean

Indicates if any change is made by the module

Returned: always

Sample: true

diff

dictionary

Dictionary of before and after changes

Returned: always

Sample: {"after": {"key2": "pqr"}, "before": {"key1": "xyz"}, "prepared": "changes done"}

diff_list

list / elements=string

List of differences between the actual configured object and the configuration specified in the module

Returned: when changed

Sample: ["Attribute `key1` differs. Desired: (<class 'str'>) XYZ. Existing: (<class 'str'>) PQR"]

failed

boolean

Indicates if the module failed or not

Returned: always

Sample: false

loglines

list / elements=string

list of logged messages by the module

Returned: always

Sample: ["message 1", "message 2"]

Authors

  • Sumanth Lingappa (@sumanth-lingappa)