Since Citrix ADC release 13, Citrix NetScaler contains the SAML features that are required to use second factor only (SFO) authentication with SURFsecureID. This allows adding 2nd factor authentication with SURFsecureID to Citrix NetScaler while using local authentication for the first factor. The local authentication is typically required for Windows domain authentication. If local authentication is not required then authentication to SURFconext directly is a much simpler option. SURFconext can optionally handle 2nd factor authentication with SURFsecureID.

Configuration overview

First configure first factor authentication in your Citrix environment. For configuring SFO the first factor authentication must result in the user id ("uid") of the user in SURFconext. This is the value of the the urn:mace:dir:attribute-def:uid SAML Attribute (called "Claim" in AD FS) that the Identity Provider (IdP) of your institution sends to SURFconext during authentication.

To use SFO you must configure Citrix to do a second factor SAML authentication to SURFsecureID. In this configuration Citrix is a SAML Service Provider (SP) and SURFsecureID is a SAML Identity Provider (IdP). During the second factor authentication Citrix sends a SAML AuthnRequest that contains the SURFconext identifier of the user you are authenticating to SURFsecureID. SURFsecureID then authenticates the second factor of the user and returns a SAML Response with the authentication result back to Citrix.

See Second Factor Only (SFO) Authentication for a technical description of SFO.

In short you must configure Citrix to:

• Use SURFsecureID SFO as a SAML IdP for authenticating the second factor of a user. You need the SAML Metadata of this IdP: https://metadata.surfconext.nl/surfsecureid-sfo-metadata.xml
• Configure Citrix to use the HTTP-Redirect binding to send the AuthnRequest to SURFsecureID
• Configure Citrix to sign the AuthnRequest with the RSA-SHA256 (Algorithm:  http://www.w3.org/2001/04/xmldsig-more#rsa-sha256)
• Configure Citrix to set the Subject NameID in the AuthnRequest to urn:collab:person:<SHO>:<UID>. Where:
  • <UID> is the value of the urn:mace:dir:attribute-def:uid attribute that your institution's IdP sends to SURFconext
  • <SHO> is the value of the urn:mace:terena.org:attribute-def:schacHomeOrganization attribute that your institution's IdP sends to SURFconext. This will typically be the same value for all your users, so you can use this a constant.
• Set the RequestedAuthnConextClassRef in the AuthnRequest to the Required LoA.

Finally provide the SAML Metadata of the Citrix SP to support@surfconext.nl. This is also the address for any questions you might have. Note that we have a lot of experience supporting integrating SURFsecureID in many environments, but we are not Citrix experts.