HYPR NetScaler Gateway SAML 2.0 Configuration


Configure HYPR as a SAML Identity Provider (IdP) for the NetScaler Gateway.


  • A licensed Citrix NetScaler 10.1.e or above
  • A virtual server configured to use SAML authentication

Configuration Steps

There are three general steps required to establish HYPR as a SAML IdP for the NetScaler. These three steps are outlined below in greater detail.

  1. Creating the HYPR SAML Profile.
  2. Creating the HYPR SAML Policy.
  3. Adding the SAML Policy to the Virtual Server.

Creating the HYPR SAML Profile

  1. Navigate to NetScaler Gateway > Policies > Authentication > SAML.

  2. Select the Servers tab.

  3. Start the configuration process by clicking Add.

  1. Within the Name field input any name that will help you identify the HYPR SAML Server configuration.

  2. Check the Import Metadata checkbox to utilize the HYPR metadata for configuration the SAML settings.

  3. In the SAML Metadata URL field place the URL to your HYPR SAML IdP Metadata. This value is generated during the deployment and the HYPR Support team can help you navigate to it.

  4. Ensure that the Reject Unsigned Assertion field is marked as OFF.

  1. Toggle Two Factor to OFF.

  2. Toggle Signature Algorithm to RSA-SHA256.

  3. Toggle Digest Method to SHA256.

  1. Click Create at the bottom.

Creating the HYPR SAML Policy

Once the SAML Server is created you will be navigated back to the SAML Settings. This is located at NetScaler Gateway > Policies > Authentication > SAML within the NetScaler admin console.

  1. Click into the Policies tab.

  2. Start the configuration process by clicking Add.

  1. Input any Name that will help you identify the HYPR SAML Policy configuration.

  2. In the Server dropdown, select the HYPR SAML server previously created. It will be listed by the name you created in Creating the HYPR SAML Profile, Step 4. The example shows the name as auth_saml_act_hypr.

  3. In the Expression text box type ns_true.

  4. Click Create.


Adding the SAML Policy to the Virtual Server

Now that the SAML server and policy have both been created within the NetScaler, they can be applied to a virtual server.

Navigate to the virtual server in NetScaler that will be utilizing the SAML configuration. The list of virtual servers can be found at: NetScaler Gateway > NetScaler Gateway Virtual Servers.

Once you have navigated to your virtual server, follow these steps:

  1. Under the Basic Authentication section, click the + icon.
  1. For the Choose Policy dropdown select SAML.

  2. For the Choose Type dropdown select Primary.

  3. Click Continue.

  1. For the Select Policy dropdown, select the HYPR SAML policy previously created by name in Creating the HYPR SAML Policy, Step 2.

  2. For the Priority binding input 100. This option can vary when chaining authentication methods, but when using SAML alone, it must be 100.

  3. Click Bind.

  1. Click Done at the bottom to save these settings to the virtual server.
  1. Back in the NetScaler Gateway Virtual Servers tab, click Save at the top right.