Skip to content

authentication samlAction

The following operations can be performed on "authentication samlAction":

add| rm| set| unset| show

add authentication samlAction

p{white-space: pre-wrap;}

Creates an action (profile) for a Security Assertion Markup Language (SAML) server. The profile contains all configuration data necessary to communicate with that SAML server.

Synopsys

add authentication samlAction <name> {-samlIdPCertName <string>} {-samlSigningCertName <string>} {-samlRedirectUrl <string>} {-samlACSIndex <positive_integer>} {-samlUserField <string>} {-samlRejectUnsignedAssertion <samlRejectUnsignedAssertion>} {-samlIssuerName <string>} {-samlTwoFactor ( ON | OFF )} [-defaultAuthenticationGroup <string>] [-Attribute1 <string>] [-Attribute2 <string>] [-Attribute3 <string>] [-Attribute4 <string>] [-Attribute5 <string>] [-Attribute6 <string>] [-Attribute7 <string>] [-Attribute8 <string>] [-Attribute9 <string>] [-Attribute10 <string>] [-Attribute11 <string>] [-Attribute12 <string>] [-Attribute13 <string>] [-Attribute14 <string>] [-Attribute15 <string>] [-Attribute16 <string>] [-Attributes <string>] {-signatureAlg ( RSA-SHA1 | RSA-SHA256 )} {-digestMethod ( SHA1 | SHA256 )} [-requestedAuthnContext <requestedAuthnContext>] [-authnCtxClassRef <authnCtxClassRef> ...] [-samlBinding <samlBinding>] [-attributeConsumingServiceIndex <positive_integer>] [-sendThumbprint ( ON | OFF )] [-enforceUserName ( ON | OFF )] [-logoutURL <string>] [-artifactResolutionServiceURL <string>] [-skewTime <mins>] [-logoutBinding ( REDIRECT | POST )] [-forceAuthn ( ON | OFF )] [-groupNameField <string>] [-audience <string>] [-metadataUrl <string> [-metadataRefreshInterval <positive_integer>]] [-storeSAMLResponse ( ON | OFF )]

Arguments

name

Name for the SAML server profile (action).

Must begin with a letter, number, or the underscore character (_), and must contain only letters, numbers, and the hyphen (-), period (.) pound (#), space ( ), at (@), equals (=), colon (:), and underscore characters. Cannot be changed after SAML profile is created.

The following requirement applies only to the Citrix ADC CLI:

If the name includes one or more spaces, enclose the name in double or single quotation marks (for example, "my authentication action" or 'my authentication action').

samlIdPCertName

Name of the SSL certificate used to verify responses from SAML Identity Provider (IdP).

samlSigningCertName

Name of the SSL certificate to sign requests from ServiceProvider (SP) to Identity Provider (IdP).

samlRedirectUrl

URL to which users are redirected for authentication.

samlACSIndex

Index/ID of the metadata entry corresponding to this configuration.

Default value: 255

Minimum value: 0

Maximum value: 255

samlUserField

SAML user ID, as given in the SAML assertion.

samlRejectUnsignedAssertion

Reject unsigned SAML assertions. ON option results in rejection of Assertion that is received without signature. STRICT option ensures that both Response and Assertion are signed. OFF allows unsigned Assertions.

Possible values: ON, OFF, STRICT

Default value: ON

samlIssuerName

The name to be used in requests sent from Citrix ADC to IdP to uniquely identify Citrix ADC.

samlTwoFactor

Option to enable second factor after SAML

Possible values: ON, OFF

Default value: OFF

defaultAuthenticationGroup

This is the default group that is chosen when the authentication succeeds in addition to extracted groups.

Attribute1

Name of the attribute in SAML Assertion whose value needs to be extracted and stored as attribute1. Maximum length of the extracted attribute is 239 bytes.

Attribute2

Name of the attribute in SAML Assertion whose value needs to be extracted and stored as attribute2. Maximum length of the extracted attribute is 239 bytes.

Attribute3

Name of the attribute in SAML Assertion whose value needs to be extracted and stored as attribute3. Maximum length of the extracted attribute is 239 bytes.

Attribute4

Name of the attribute in SAML Assertion whose value needs to be extracted and stored as attribute4. Maximum length of the extracted attribute is 239 bytes.

Attribute5

Name of the attribute in SAML Assertion whose value needs to be extracted and stored as attribute5. Maximum length of the extracted attribute is 239 bytes.

Attribute6

Name of the attribute in SAML Assertion whose value needs to be extracted and stored as attribute6. Maximum length of the extracted attribute is 239 bytes.

Attribute7

Name of the attribute in SAML Assertion whose value needs to be extracted and stored as attribute7. Maximum length of the extracted attribute is 239 bytes.

Attribute8

Name of the attribute in SAML Assertion whose value needs to be extracted and stored as attribute8. Maximum length of the extracted attribute is 239 bytes.

Attribute9

Name of the attribute in SAML Assertion whose value needs to be extracted and stored as attribute9. Maximum length of the extracted attribute is 239 bytes.

Attribute10

Name of the attribute in SAML Assertion whose value needs to be extracted and stored as attribute10. Maximum length of the extracted attribute is 239 bytes.

Attribute11

Name of the attribute in SAML Assertion whose value needs to be extracted and stored as attribute11. Maximum length of the extracted attribute is 239 bytes.

Attribute12

Name of the attribute in SAML Assertion whose value needs to be extracted and stored as attribute12. Maximum length of the extracted attribute is 239 bytes.

Attribute13

Name of the attribute in SAML Assertion whose value needs to be extracted and stored as attribute13. Maximum length of the extracted attribute is 239 bytes.

Attribute14

Name of the attribute in SAML Assertion whose value needs to be extracted and stored as attribute14. Maximum length of the extracted attribute is 239 bytes.

Attribute15

Name of the attribute in SAML Assertion whose value needs to be extracted and stored as attribute15. Maximum length of the extracted attribute is 239 bytes.

Attribute16

Name of the attribute in SAML Assertion whose value needs to be extracted and stored as attribute16. Maximum length of the extracted attribute is 239 bytes.

Attributes

List of attribute names separated by ',' which needs to be extracted.

Note that preceeding and trailing spaces will be removed.

Attribute name can be 127 bytes and total length of this string should not cross 2047 bytes.

These attributes have multi-value support separated by ',' and stored as key-value pair in AAA session

signatureAlg

Algorithm to be used to sign/verify SAML transactions

Possible values: RSA-SHA1, RSA-SHA256

Default value: RSA-SHA256

digestMethod

Algorithm to be used to compute/verify digest for SAML transactions

Possible values: SHA1, SHA256

Default value: SHA256

requestedAuthnContext

This element specifies the authentication context requirements of authentication statements returned in the response.

Possible values: exact, minimum, maximum, better

Default value: exact

authnCtxClassRef

This element specifies the authentication class types that are requested from IdP (IdentityProvider).

InternetProtocol: This is applicable when a principal is authenticated through the use of a provided IP address.

InternetProtocolPassword: This is applicable when a principal is authenticated through the use of a provided IP address, in addition to a username/password.

Kerberos: This is applicable when the principal has authenticated using a password to a local authentication authority, in order to acquire a Kerberos ticket.

MobileOneFactorUnregistered: This indicates authentication of the mobile device without requiring explicit end-user interaction.

MobileTwoFactorUnregistered: This indicates two-factor based authentication during mobile customer registration process, such as secure device and user PIN.

MobileOneFactorContract: Reflects mobile contract customer registration procedures and a single factor authentication.

MobileTwoFactorContract: Reflects mobile contract customer registration procedures and a two-factor based authentication.

Password: This class is applicable when a principal authenticates using password over unprotected http session.

PasswordProtectedTransport: This class is applicable when a principal authenticates to an authentication authority through the presentation of a password over a protected session.

PreviousSession: This class is applicable when a principal had authenticated to an authentication authority at some point in the past using any authentication context.

X509: This indicates that the principal authenticated by means of a digital signature where the key was validated as part of an X.509 Public Key Infrastructure.

PGP: This indicates that the principal authenticated by means of a digital signature where the key was validated as part of a PGP Public Key Infrastructure.

SPKI: This indicates that the principal authenticated by means of a digital signature where the key was validated via an SPKI Infrastructure.

XMLDSig: This indicates that the principal authenticated by means of a digital signature according to the processing rules specified in the XML Digital Signature specification.

Smartcard: This indicates that the principal has authenticated using smartcard.

SmartcardPKI: This class is applicable when a principal authenticates to an authentication authority through a two-factor authentication mechanism using a smartcard with enclosed private key and a PIN.

SoftwarePKI: This class is applicable when a principal uses an X.509 certificate stored in software to authenticate to the authentication authority.

Telephony: This class is used to indicate that the principal authenticated via the provision of a fixed-line telephone number, transported via a telephony protocol such as ADSL.

NomadTelephony: Indicates that the principal is "roaming" and authenticates via the means of the line number, a user suffix, and a password element.

PersonalTelephony: This class is used to indicate that the principal authenticated via the provision of a fixed-line telephone.

AuthenticatedTelephony: Indicates that the principal authenticated via the means of the line number, a user suffix, and a password element.

SecureRemotePassword: This class is applicable when the authentication was performed by means of Secure Remote Password.

TLSClient: This class indicates that the principal authenticated by means of a client certificate, secured with the SSL/TLS transport.

TimeSyncToken: This is applicable when a principal authenticates through a time synchronization token.

Unspecified: This indicates that the authentication was performed by unspecified means.

Windows: This indicates that Windows integrated authentication is utilized for authentication.

samlBinding

This element specifies the transport mechanism of saml messages.

Possible values: REDIRECT, POST, ARTIFACT

Default value: POST

attributeConsumingServiceIndex

Index/ID of the attribute specification at Identity Provider (IdP). IdP will locate attributes requested by SP using this index and send those attributes in Assertion

Default value: 255

Minimum value: 0

Maximum value: 255

sendThumbprint

Option to send thumbprint instead of x509 certificate in SAML request

Possible values: ON, OFF

Default value: OFF

enforceUserName

Option to choose whether the username that is extracted from SAML assertion can be edited in login page while doing second factor

Possible values: ON, OFF

Default value: ON

logoutURL

SingleLogout URL on IdP to which logoutRequest will be sent on Citrix ADC session cleanup.

artifactResolutionServiceURL

URL of the Artifact Resolution Service on IdP to which Citrix ADC will post artifact to get actual SAML token.

skewTime

This option specifies the allowed clock skew in number of minutes that Citrix ADC ServiceProvider allows on an incoming assertion. For example, if skewTime is 10, then assertion would be valid from (current time - 10) min to (current time + 10) min, ie 20min in all.

Default value: 5

logoutBinding

This element specifies the transport mechanism of saml logout messages.

Possible values: REDIRECT, POST

Default value: POST

forceAuthn

Option that forces authentication at the Identity Provider (IdP) that receives Citrix ADC's request

Possible values: ON, OFF

Default value: OFF

groupNameField

Name of the tag in assertion that contains user groups.

audience

Audience for which assertion sent by IdP is applicable. This is typically entity name or url that represents ServiceProvider

metadataUrl

This URL is used for obtaining saml metadata

metadataRefreshInterval

Interval in minutes for fetching metadata from specified metadata URL

Default value: 36000

Minimum value: 0

storeSAMLResponse

Option to store entire SAML Response through the life of user session.

Possible values: ON, OFF

Default value: OFF

rm authentication samlAction

p{white-space: pre-wrap;}

Removes a SAML profile (action). An action cannot be removed if it is bound to a policy.

Synopsys

rm authentication samlAction <name>

Arguments

name

Name of the SAML profile to be removed.

set authentication samlAction

p{white-space: pre-wrap;}

Modifies the specified parameters of a SAML server profile (action).

Synopsys

set authentication samlAction <name> [-samlIdPCertName <string>] [-samlSigningCertName <string>] [-samlRedirectUrl <string>] [-samlACSIndex <positive_integer>] [-samlUserField <string>] [-samlRejectUnsignedAssertion <samlRejectUnsignedAssertion>] [-samlIssuerName <string>] [-samlTwoFactor ( ON | OFF )] [-defaultAuthenticationGroup <string>] [-Attribute1 <string>] [-Attribute2 <string>] [-Attribute3 <string>] [-Attribute4 <string>] [-Attribute5 <string>] [-Attribute6 <string>] [-Attribute7 <string>] [-Attribute8 <string>] [-Attribute9 <string>] [-Attribute10 <string>] [-Attribute11 <string>] [-Attribute12 <string>] [-Attribute13 <string>] [-Attribute14 <string>] [-Attribute15 <string>] [-Attribute16 <string>] [-Attributes <string>] [-signatureAlg ( RSA-SHA1 | RSA-SHA256 )] [-digestMethod ( SHA1 | SHA256 )] [-requestedAuthnContext <requestedAuthnContext>] [-authnCtxClassRef <authnCtxClassRef> ...] [-samlBinding <samlBinding>] [-attributeConsumingServiceIndex <positive_integer>] [-sendThumbprint ( ON | OFF )] [-enforceUserName ( ON | OFF )] [-logoutURL <string>] [-artifactResolutionServiceURL <string>] [-skewTime <mins>] [-logoutBinding ( REDIRECT | POST )] [-forceAuthn ( ON | OFF )] [-groupNameField <string>] [-audience <string>] [-metadataUrl <string>] [-metadataRefreshInterval <positive_integer>] [-storeSAMLResponse ( ON | OFF )]

Arguments

name

Name of the SAML profile (action) to modify.

samlIdPCertName

Name of the SSL certificate used to verify responses from SAML Identity Provider (IdP).

samlSigningCertName

Name of the SSL certificate to sign requests from ServiceProvider (SP) to Identity Provider (IdP).

samlRedirectUrl

URL to which users are redirected for authentication.

samlACSIndex

Index/ID of the metadata entry corresponding to this configuration.

Default value: 255

Minimum value: 0

Maximum value: 255

samlUserField

SAML user ID, as given in the SAML assertion.

samlRejectUnsignedAssertion

Reject unsigned SAML assertions. ON option results in rejection of Assertion that is received without signature. STRICT option ensures that both Response and Assertion are signed. OFF allows unsigned Assertions.

Possible values: ON, OFF, STRICT

Default value: ON

samlIssuerName

The name to be used in requests sent from Citrix ADC to IdP to uniquely identify Citrix ADC.

samlTwoFactor

Option to enable second factor after SAML

Possible values: ON, OFF

Default value: OFF

defaultAuthenticationGroup

This is the default group that is chosen when the authentication succeeds in addition to extracted groups.

Attribute1

Name of the attribute in SAML Assertion whose value needs to be extracted and stored as attribute1. Maximum length of the extracted attribute is 239 bytes.

Attribute2

Name of the attribute in SAML Assertion whose value needs to be extracted and stored as attribute2. Maximum length of the extracted attribute is 239 bytes.

Attribute3

Name of the attribute in SAML Assertion whose value needs to be extracted and stored as attribute3. Maximum length of the extracted attribute is 239 bytes.

Attribute4

Name of the attribute in SAML Assertion whose value needs to be extracted and stored as attribute4. Maximum length of the extracted attribute is 239 bytes.

Attribute5

Name of the attribute in SAML Assertion whose value needs to be extracted and stored as attribute5. Maximum length of the extracted attribute is 239 bytes.

Attribute6

Name of the attribute in SAML Assertion whose value needs to be extracted and stored as attribute6. Maximum length of the extracted attribute is 239 bytes.

Attribute7

Name of the attribute in SAML Assertion whose value needs to be extracted and stored as attribute7. Maximum length of the extracted attribute is 239 bytes.

Attribute8

Name of the attribute in SAML Assertion whose value needs to be extracted and stored as attribute8. Maximum length of the extracted attribute is 239 bytes.

Attribute9

Name of the attribute in SAML Assertion whose value needs to be extracted and stored as attribute9. Maximum length of the extracted attribute is 239 bytes.

Attribute10

Name of the attribute in SAML Assertion whose value needs to be extracted and stored as attribute10. Maximum length of the extracted attribute is 239 bytes.

Attribute11

Name of the attribute in SAML Assertion whose value needs to be extracted and stored as attribute11. Maximum length of the extracted attribute is 239 bytes.

Attribute12

Name of the attribute in SAML Assertion whose value needs to be extracted and stored as attribute12. Maximum length of the extracted attribute is 239 bytes.

Attribute13

Name of the attribute in SAML Assertion whose value needs to be extracted and stored as attribute13. Maximum length of the extracted attribute is 239 bytes.

Attribute14

Name of the attribute in SAML Assertion whose value needs to be extracted and stored as attribute14. Maximum length of the extracted attribute is 239 bytes.

Attribute15

Name of the attribute in SAML Assertion whose value needs to be extracted and stored as attribute15. Maximum length of the extracted attribute is 239 bytes.

Attribute16

Name of the attribute in SAML Assertion whose value needs to be extracted and stored as attribute16. Maximum length of the extracted attribute is 239 bytes.

Attributes

List of attribute names separated by ',' which needs to be extracted.

Note that preceeding and trailing spaces will be removed.

Attribute name can be 127 bytes and total length of this string should not cross 2047 bytes.

These attributes have multi-value support separated by ',' and stored as key-value pair in AAA session

signatureAlg

Algorithm to be used to sign/verify SAML transactions

Possible values: RSA-SHA1, RSA-SHA256

Default value: RSA-SHA256

digestMethod

Algorithm to be used to compute/verify digest for SAML transactions

Possible values: SHA1, SHA256

Default value: SHA256

requestedAuthnContext

This element specifies the authentication context requirements of authentication statements returned in the response.

Possible values: exact, minimum, maximum, better

Default value: exact

authnCtxClassRef

This element specifies the authentication class types that are requested from IdP (IdentityProvider).

InternetProtocol: This is applicable when a principal is authenticated through the use of a provided IP address.

InternetProtocolPassword: This is applicable when a principal is authenticated through the use of a provided IP address, in addition to a username/password.

Kerberos: This is applicable when the principal has authenticated using a password to a local authentication authority, in order to acquire a Kerberos ticket.

MobileOneFactorUnregistered: This indicates authentication of the mobile device without requiring explicit end-user interaction.

MobileTwoFactorUnregistered: This indicates two-factor based authentication during mobile customer registration process, such as secure device and user PIN.

MobileOneFactorContract: Reflects mobile contract customer registration procedures and a single factor authentication.

MobileTwoFactorContract: Reflects mobile contract customer registration procedures and a two-factor based authentication.

Password: This class is applicable when a principal authenticates using password over unprotected http session.

PasswordProtectedTransport: This class is applicable when a principal authenticates to an authentication authority through the presentation of a password over a protected session.

PreviousSession: This class is applicable when a principal had authenticated to an authentication authority at some point in the past using any authentication context.

X509: This indicates that the principal authenticated by means of a digital signature where the key was validated as part of an X.509 Public Key Infrastructure.

PGP: This indicates that the principal authenticated by means of a digital signature where the key was validated as part of a PGP Public Key Infrastructure.

SPKI: This indicates that the principal authenticated by means of a digital signature where the key was validated via an SPKI Infrastructure.

XMLDSig: This indicates that the principal authenticated by means of a digital signature according to the processing rules specified in the XML Digital Signature specification.

Smartcard: This indicates that the principal has authenticated using smartcard.

SmartcardPKI: This class is applicable when a principal authenticates to an authentication authority through a two-factor authentication mechanism using a smartcard with enclosed private key and a PIN.

SoftwarePKI: This class is applicable when a principal uses an X.509 certificate stored in software to authenticate to the authentication authority.

Telephony: This class is used to indicate that the principal authenticated via the provision of a fixed-line telephone number, transported via a telephony protocol such as ADSL.

NomadTelephony: Indicates that the principal is "roaming" and authenticates via the means of the line number, a user suffix, and a password element.

PersonalTelephony: This class is used to indicate that the principal authenticated via the provision of a fixed-line telephone.

AuthenticatedTelephony: Indicates that the principal authenticated via the means of the line number, a user suffix, and a password element.

SecureRemotePassword: This class is applicable when the authentication was performed by means of Secure Remote Password.

TLSClient: This class indicates that the principal authenticated by means of a client certificate, secured with the SSL/TLS transport.

TimeSyncToken: This is applicable when a principal authenticates through a time synchronization token.

Unspecified: This indicates that the authentication was performed by unspecified means.

Windows: This indicates that Windows integrated authentication is utilized for authentication.

samlBinding

This element specifies the transport mechanism of saml messages.

Possible values: REDIRECT, POST, ARTIFACT

Default value: POST

attributeConsumingServiceIndex

Index/ID of the attribute specification at Identity Provider (IdP). IdP will locate attributes requested by SP using this index and send those attributes in Assertion

Default value: 255

Minimum value: 0

Maximum value: 255

sendThumbprint

Option to send thumbprint instead of x509 certificate in SAML request

Possible values: ON, OFF

Default value: OFF

enforceUserName

Option to choose whether the username that is extracted from SAML assertion can be edited in login page while doing second factor

Possible values: ON, OFF

Default value: ON

logoutURL

SingleLogout URL on IdP to which logoutRequest will be sent on Citrix ADC session cleanup.

artifactResolutionServiceURL

URL of the Artifact Resolution Service on IdP to which Citrix ADC will post artifact to get actual SAML token.

skewTime

This option specifies the allowed clock skew in number of minutes that Citrix ADC ServiceProvider allows on an incoming assertion. For example, if skewTime is 10, then assertion would be valid from (current time - 10) min to (current time + 10) min, ie 20min in all.

Default value: 5

logoutBinding

This element specifies the transport mechanism of saml logout messages.

Possible values: REDIRECT, POST

Default value: POST

forceAuthn

Option that forces authentication at the Identity Provider (IdP) that receives Citrix ADC's request

Possible values: ON, OFF

Default value: OFF

groupNameField

Name of the tag in assertion that contains user groups.

audience

Audience for which assertion sent by IdP is applicable. This is typically entity name or url that represents ServiceProvider

metadataUrl

This URL is used for obtaining saml metadata

metadataRefreshInterval

Interval in minutes for fetching metadata from specified metadata URL

Default value: 36000

Minimum value: 0

storeSAMLResponse

Option to store entire SAML Response through the life of user session.

Possible values: ON, OFF

Default value: OFF

unset authentication samlAction

p{white-space: pre-wrap;}

Use this command to remove authentication samlAction settings.Refer to the set authentication samlAction command for meanings of the arguments.

Synopsys

unset authentication samlAction <name> [-samlSigningCertName] [-samlRedirectUrl] [-samlACSIndex] [-samlUserField] [-samlRejectUnsignedAssertion] [-samlIssuerName] [-samlTwoFactor] [-defaultAuthenticationGroup] [-Attribute1] [-Attribute2] [-Attribute3] [-Attribute4] [-Attribute5] [-Attribute6] [-Attribute7] [-Attribute8] [-Attribute9] [-Attribute10] [-Attribute11] [-Attribute12] [-Attribute13] [-Attribute14] [-Attribute15] [-Attribute16] [-Attributes] [-signatureAlg] [-digestMethod] [-requestedAuthnContext] [-authnCtxClassRef] [-samlBinding] [-attributeConsumingServiceIndex] [-sendThumbprint] [-enforceUserName] [-logoutURL] [-artifactResolutionServiceURL] [-skewTime] [-logoutBinding] [-forceAuthn] [-groupNameField] [-audience] [-metadataUrl] [-metadataRefreshInterval] [-storeSAMLResponse]

show authentication samlAction

p{white-space: pre-wrap;}

Displays the current configuration settings for the specified SAML server profile (action).

Synopsys

show authentication samlAction [<name>]

Arguments

name

Name of the SAML server profile.

Outputs

samlIdPCertName

Name of the SSL certificate used to verify responses from SAML Identity Provider (IdP).

samlSigningCertName

Name of the SSL certificate to sign requests from ServiceProvider (SP) to Identity Provider (IdP).

samlRedirectUrl

URL to which users are redirected for authentication.

samlACSIndex

Index/ID of the metadata entry corresponding to this configuration.

samlUserField

SAML user ID, as given in the SAML assertion.

samlRejectUnsignedAssertion

Reject unsigned SAML assertions. ON option results in rejection of Assertion that is received without signature. STRICT option ensures that both Response and Assertion are signed. OFF allows unsigned Assertions.

samlIssuerName

The name to be used in requests sent from Citrix ADC to IdP to uniquely identify Citrix ADC.

samlTwoFactor

Option to enable second factor after SAML

defaultAuthenticationGroup

This is the default group that is chosen when the authentication succeeds in addition to extracted groups.

Attribute1

Name of the attribute in SAML Assertion whose value needs to be extracted and stored as attribute1. Maximum length of the extracted attribute is 239 bytes.

Attribute2

Name of the attribute in SAML Assertion whose value needs to be extracted and stored as attribute2. Maximum length of the extracted attribute is 239 bytes.

Attribute3

Name of the attribute in SAML Assertion whose value needs to be extracted and stored as attribute3. Maximum length of the extracted attribute is 239 bytes.

Attribute4

Name of the attribute in SAML Assertion whose value needs to be extracted and stored as attribute4. Maximum length of the extracted attribute is 239 bytes.

Attribute5

Name of the attribute in SAML Assertion whose value needs to be extracted and stored as attribute5. Maximum length of the extracted attribute is 239 bytes.

Attribute6

Name of the attribute in SAML Assertion whose value needs to be extracted and stored as attribute6. Maximum length of the extracted attribute is 239 bytes.

Attribute7

Name of the attribute in SAML Assertion whose value needs to be extracted and stored as attribute7. Maximum length of the extracted attribute is 239 bytes.

Attribute8

Name of the attribute in SAML Assertion whose value needs to be extracted and stored as attribute8. Maximum length of the extracted attribute is 239 bytes.

Attribute9

Name of the attribute in SAML Assertion whose value needs to be extracted and stored as attribute9. Maximum length of the extracted attribute is 239 bytes.

Attribute10

Name of the attribute in SAML Assertion whose value needs to be extracted and stored as attribute10. Maximum length of the extracted attribute is 239 bytes.

Attribute11

Name of the attribute in SAML Assertion whose value needs to be extracted and stored as attribute11. Maximum length of the extracted attribute is 239 bytes.

Attribute12

Name of the attribute in SAML Assertion whose value needs to be extracted and stored as attribute12. Maximum length of the extracted attribute is 239 bytes.

Attribute13

Name of the attribute in SAML Assertion whose value needs to be extracted and stored as attribute13. Maximum length of the extracted attribute is 239 bytes.

Attribute14

Name of the attribute in SAML Assertion whose value needs to be extracted and stored as attribute14. Maximum length of the extracted attribute is 239 bytes.

Attribute15

Name of the attribute in SAML Assertion whose value needs to be extracted and stored as attribute15. Maximum length of the extracted attribute is 239 bytes.

Attribute16

Name of the attribute in SAML Assertion whose value needs to be extracted and stored as attribute16. Maximum length of the extracted attribute is 239 bytes.

Attributes

List of attribute names separated by ',' which needs to be extracted.

Note that preceeding and trailing spaces will be removed.

Attribute name can be 127 bytes and total length of this string should not cross 2047 bytes.

These attributes have multi-value support separated by ',' and stored as key-value pair in AAA session

signatureAlg

Algorithm to be used to sign/verify SAML transactions

digestMethod

Algorithm to be used to compute/verify digest for SAML transactions

requestedAuthnContext

This element specifies the authentication context requirements of authentication statements returned in the response.

authnCtxClassRef

This element specifies the authentication class types that are requested from IdP (IdentityProvider).

InternetProtocol: This is applicable when a principal is authenticated through the use of a provided IP address.

InternetProtocolPassword: This is applicable when a principal is authenticated through the use of a provided IP address, in addition to a username/password.

Kerberos: This is applicable when the principal has authenticated using a password to a local authentication authority, in order to acquire a Kerberos ticket.

MobileOneFactorUnregistered: This indicates authentication of the mobile device without requiring explicit end-user interaction.

MobileTwoFactorUnregistered: This indicates two-factor based authentication during mobile customer registration process, such as secure device and user PIN.

MobileOneFactorContract: Reflects mobile contract customer registration procedures and a single factor authentication.

MobileTwoFactorContract: Reflects mobile contract customer registration procedures and a two-factor based authentication.

Password: This class is applicable when a principal authenticates using password over unprotected http session.

PasswordProtectedTransport: This class is applicable when a principal authenticates to an authentication authority through the presentation of a password over a protected session.

PreviousSession: This class is applicable when a principal had authenticated to an authentication authority at some point in the past using any authentication context.

X509: This indicates that the principal authenticated by means of a digital signature where the key was validated as part of an X.509 Public Key Infrastructure.

PGP: This indicates that the principal authenticated by means of a digital signature where the key was validated as part of a PGP Public Key Infrastructure.

SPKI: This indicates that the principal authenticated by means of a digital signature where the key was validated via an SPKI Infrastructure.

XMLDSig: This indicates that the principal authenticated by means of a digital signature according to the processing rules specified in the XML Digital Signature specification.

Smartcard: This indicates that the principal has authenticated using smartcard.

SmartcardPKI: This class is applicable when a principal authenticates to an authentication authority through a two-factor authentication mechanism using a smartcard with enclosed private key and a PIN.

SoftwarePKI: This class is applicable when a principal uses an X.509 certificate stored in software to authenticate to the authentication authority.

Telephony: This class is used to indicate that the principal authenticated via the provision of a fixed-line telephone number, transported via a telephony protocol such as ADSL.

NomadTelephony: Indicates that the principal is "roaming" and authenticates via the means of the line number, a user suffix, and a password element.

PersonalTelephony: This class is used to indicate that the principal authenticated via the provision of a fixed-line telephone.

AuthenticatedTelephony: Indicates that the principal authenticated via the means of the line number, a user suffix, and a password element.

SecureRemotePassword: This class is applicable when the authentication was performed by means of Secure Remote Password.

TLSClient: This class indicates that the principal authenticated by means of a client certificate, secured with the SSL/TLS transport.

TimeSyncToken: This is applicable when a principal authenticates through a time synchronization token.

Unspecified: This indicates that the authentication was performed by unspecified means.

Windows: This indicates that Windows integrated authentication is utilized for authentication.

samlBinding

This element specifies the transport mechanism of saml messages.

attributeConsumingServiceIndex

Index/ID of the attribute specification at Identity Provider (IdP). IdP will locate attributes requested by SP using this index and send those attributes in Assertion

sendThumbprint

Option to send thumbprint instead of x509 certificate in SAML request

enforceUserName

Option to choose whether the username that is extracted from SAML assertion can be edited in login page while doing second factor

logoutURL

SingleLogout URL on IdP to which logoutRequest will be sent on Citrix ADC session cleanup.

artifactResolutionServiceURL

URL of the Artifact Resolution Service on IdP to which Citrix ADC will post artifact to get actual SAML token.

skewTime

This option specifies the allowed clock skew in number of minutes that Citrix ADC ServiceProvider allows on an incoming assertion. For example, if skewTime is 10, then assertion would be valid from (current time - 10) min to (current time + 10) min, ie 20min in all.

logoutBinding

This element specifies the transport mechanism of saml logout messages.

forceAuthn

Option that forces authentication at the Identity Provider (IdP) that receives Citrix ADC's request

groupNameField

Name of the tag in assertion that contains user groups.

audience

Audience for which assertion sent by IdP is applicable. This is typically entity name or url that represents ServiceProvider

metadataUrl

This URL is used for obtaining saml metadata

metadataRefreshInterval

Interval in minutes for fetching metadata from specified metadata URL

metadataImportStatus

Describes metadata import status.

storeSAMLResponse

Option to store entire SAML Response through the life of user session.

devno

count

stateflag