NetScaler Gateway SAML 2.0 Configuration

This guide covers the configuration of HYPR for the Citrix NetScaler Gateway.


This deployment requires a licensed Citrix NetScaler 10.1.e or above. The NetScaler must have a virtual server configured that will utilize the SAML authentication.

Configuration Steps

Three general steps are required to establish HYPR as a SAML IdP for the NetScaler. These are outlined below in greater detail.

Creating the HYPR SAML Profile

  1. You will need to start by navigating to the SAML Server configuration settings. To do this navigate to: 'NetScaler Gateway / Policies / Authentication / SAML'

  2. When you reach the SAML configuration settings, you will first need to select the 'Servers' tab.

  3. Within the Servers tab, start the configuration process by clicking on 'Add'.


Follow these steps to configure the HYPR Identity Provider within the 'Create Authentication SAML Server' settings.

  1. Within the 'Name*' field input any name that will help you identify the HYPR SAML Server configuration.

  2. Check the 'Import Metadata' checkbox. This will allow us to utilize the HYPR metadata for configuration the SAML settings.

  3. In the 'SAML Metadata URL' field place the URL to your HYPR SAML IdP Metadata. This value is generated during the deployment and the HYPR support team can help you navigate to it.

  4. Ensure that the 'Reject Unsigned Assertion*' field is marked 'OFF'.

  1. With the 'Two Factor' option toggle the setting to 'OFF'.

  2. With the 'Signature Algorithm*' toggle the setting to 'RSA-SHA256'.

  3. With the 'Digest Method*' toggle the setting to 'SHA256'.

  1. Select the blue 'Create' button at the bottom.

Creating the HYPR SAML Policy

Once the SAML Server is created you will be navigated back to the SAML settings. This is located at 'NetScaler Gateway / Policies / Authentication / SAML' within the NetScaler admin console.

Click into the 'Policies' tab and follow these steps to create the SAML policy.

  1. Within the Policies tab, start the configuration process by clicking on 'Add'.
  1. Within the 'Name*' field input any name that will help you identify the HYPR SAML Policy configuration.

  2. In the 'Server*' dropdown, select the HYPR SAML server previously created. It will be listed by the name you created in step 4. The example shows the name as 'auth_saml_act_hypr'.

  3. In the 'Expression*' text box, write the following: 'ns_true'

  4. With this configuration, select the blue 'Create' button.


Adding the SAML Policy to the Virtual Server

Now that the SAML server and policy have both been created within the NetScaler, it can be applied to a virtual server.

You will need to navigate to the virtual server within the NetScaler that will be utilizing the SAML configuration. The list of virtual servers can be found at: 'NetScaler Gateway / NetScaler Gateway Virtual Servers'

Once you have navigated to your virtual server follow these steps:

  1. Click the '+' icon under the 'Basic Authentication' section.
  1. For the 'Choose Policy*' dropdown select 'SAML'.

  2. For the 'Choose Type*' dropdown select 'Primary'.

  3. Select the blue 'Continue' button to proceed to the next menu.

  1. For the 'Select Policy*' drop-down, select the HYPR SAML Policy previously created by name. The name was set in step 2 of the SAML Policy steps.

  2. For the 'Priority*' binding input '100'. This option can vary when chaining authentication methods, but when using SAML as the only authentication method 100 will be your input.

  3. Select the blue 'Bind' button to complete this configuration.

  1. Click the 'Done' button at the bottom to save these settings to the virtual server.
  1. Back in the 'NetScaler Gateway Virtual Servers' tab hit save at the top right.