Skip to content

authenticationsamlaction

Configuration for AAA Saml action resource.

Properties

(click to see Operations)

NameData TypePermissionsDescription
name<String>Read-writeName for the SAML server profile (action).
Must begin with a letter, number, or the underscore character (_), and must contain only letters, numbers, and the hyphen (-), period (.) pound (#), space ( ), at (@), equals (=), colon (:), and underscore characters. Cannot be changed after SAML profile is created.

The following requirement applies only to the Citrix ADC CLI:
If the name includes one or more spaces, enclose the name in double or single quotation marks (for example, "my authentication action" or 'my authentication action').
Minimum length = 1
samlidpcertname<String>Read-writeName of the SSL certificate used to verify responses from SAML Identity Provider (IdP).
Minimum length = 1
samlsigningcertname<String>Read-writeName of the SSL certificate to sign requests from ServiceProvider (SP) to Identity Provider (IdP).
Minimum length = 1
samlredirecturl<String>Read-writeURL to which users are redirected for authentication.
Minimum length = 1
samlacsindex<Double>Read-writeIndex/ID of the metadata entry corresponding to this configuration.
Default value: 255
Minimum value = 0
Maximum value = 255
samluserfield<String>Read-writeSAML user ID, as given in the SAML assertion.
Minimum length = 1
samlrejectunsignedassertion<String>Read-writeReject unsigned SAML assertions. ON option results in rejection of Assertion that is received without signature. STRICT option ensures that both Response and Assertion are signed. OFF allows unsigned Assertions.
Default value: ON
Possible values = ON, OFF, STRICT
samlissuername<String>Read-writeThe name to be used in requests sent from Citrix ADC to IdP to uniquely identify Citrix ADC.
Minimum length = 1
samltwofactor<String>Read-writeOption to enable second factor after SAML.
Default value: OFF
Possible values = ON, OFF
defaultauthenticationgroup<String>Read-writeThis is the default group that is chosen when the authentication succeeds in addition to extracted groups.
attribute1<String>Read-writeName of the attribute in SAML Assertion whose value needs to be extracted and stored as attribute1. Maximum length of the extracted attribute is 239 bytes.
attribute2<String>Read-writeName of the attribute in SAML Assertion whose value needs to be extracted and stored as attribute2. Maximum length of the extracted attribute is 239 bytes.
attribute3<String>Read-writeName of the attribute in SAML Assertion whose value needs to be extracted and stored as attribute3. Maximum length of the extracted attribute is 239 bytes.
attribute4<String>Read-writeName of the attribute in SAML Assertion whose value needs to be extracted and stored as attribute4. Maximum length of the extracted attribute is 239 bytes.
attribute5<String>Read-writeName of the attribute in SAML Assertion whose value needs to be extracted and stored as attribute5. Maximum length of the extracted attribute is 239 bytes.
attribute6<String>Read-writeName of the attribute in SAML Assertion whose value needs to be extracted and stored as attribute6. Maximum length of the extracted attribute is 239 bytes.
attribute7<String>Read-writeName of the attribute in SAML Assertion whose value needs to be extracted and stored as attribute7. Maximum length of the extracted attribute is 239 bytes.
attribute8<String>Read-writeName of the attribute in SAML Assertion whose value needs to be extracted and stored as attribute8. Maximum length of the extracted attribute is 239 bytes.
attribute9<String>Read-writeName of the attribute in SAML Assertion whose value needs to be extracted and stored as attribute9. Maximum length of the extracted attribute is 239 bytes.
attribute10<String>Read-writeName of the attribute in SAML Assertion whose value needs to be extracted and stored as attribute10. Maximum length of the extracted attribute is 239 bytes.
attribute11<String>Read-writeName of the attribute in SAML Assertion whose value needs to be extracted and stored as attribute11. Maximum length of the extracted attribute is 239 bytes.
attribute12<String>Read-writeName of the attribute in SAML Assertion whose value needs to be extracted and stored as attribute12. Maximum length of the extracted attribute is 239 bytes.
attribute13<String>Read-writeName of the attribute in SAML Assertion whose value needs to be extracted and stored as attribute13. Maximum length of the extracted attribute is 239 bytes.
attribute14<String>Read-writeName of the attribute in SAML Assertion whose value needs to be extracted and stored as attribute14. Maximum length of the extracted attribute is 239 bytes.
attribute15<String>Read-writeName of the attribute in SAML Assertion whose value needs to be extracted and stored as attribute15. Maximum length of the extracted attribute is 239 bytes.
attribute16<String>Read-writeName of the attribute in SAML Assertion whose value needs to be extracted and stored as attribute16. Maximum length of the extracted attribute is 239 bytes.
attributes<String>Read-writeList of attribute names separated by ',' which needs to be extracted.
Note that preceeding and trailing spaces will be removed.
Attribute name can be 127 bytes and total length of this string should not cross 2047 bytes.
These attributes have multi-value support separated by ',' and stored as key-value pair in AAA session.
signaturealg<String>Read-writeAlgorithm to be used to sign/verify SAML transactions.
Default value: RSA-SHA256
Possible values = RSA-SHA1, RSA-SHA256
digestmethod<String>Read-writeAlgorithm to be used to compute/verify digest for SAML transactions.
Default value: SHA256
Possible values = SHA1, SHA256
requestedauthncontext<String>Read-writeThis element specifies the authentication context requirements of authentication statements returned in the response.
Default value: exact
Possible values = exact, minimum, maximum, better
authnctxclassref<String[]>Read-writeThis element specifies the authentication class types that are requested from IdP (IdentityProvider).
InternetProtocol: This is applicable when a principal is authenticated through the use of a provided IP address.
InternetProtocolPassword: This is applicable when a principal is authenticated through the use of a provided IP address, in addition to a username/password.
Kerberos: This is applicable when the principal has authenticated using a password to a local authentication authority, in order to acquire a Kerberos ticket.
MobileOneFactorUnregistered: This indicates authentication of the mobile device without requiring explicit end-user interaction.
MobileTwoFactorUnregistered: This indicates two-factor based authentication during mobile customer registration process, such as secure device and user PIN.
MobileOneFactorContract: Reflects mobile contract customer registration procedures and a single factor authentication.
MobileTwoFactorContract: Reflects mobile contract customer registration procedures and a two-factor based authentication.
Password: This class is applicable when a principal authenticates using password over unprotected http session.
PasswordProtectedTransport: This class is applicable when a principal authenticates to an authentication authority through the presentation of a password over a protected session.
PreviousSession: This class is applicable when a principal had authenticated to an authentication authority at some point in the past using any authentication context.
X509: This indicates that the principal authenticated by means of a digital signature where the key was validated as part of an X.509 Public Key Infrastructure.
PGP: This indicates that the principal authenticated by means of a digital signature where the key was validated as part of a PGP Public Key Infrastructure.
SPKI: This indicates that the principal authenticated by means of a digital signature where the key was validated via an SPKI Infrastructure.
XMLDSig: This indicates that the principal authenticated by means of a digital signature according to the processing rules specified in the XML Digital Signature specification.
Smartcard: This indicates that the principal has authenticated using smartcard.
SmartcardPKI: This class is applicable when a principal authenticates to an authentication authority through a two-factor authentication mechanism using a smartcard with enclosed private key and a PIN.
SoftwarePKI: This class is applicable when a principal uses an X.509 certificate stored in software to authenticate to the authentication authority.
Telephony: This class is used to indicate that the principal authenticated via the provision of a fixed-line telephone number, transported via a telephony protocol such as ADSL.
NomadTelephony: Indicates that the principal is "roaming" and authenticates via the means of the line number, a user suffix, and a password element.
PersonalTelephony: This class is used to indicate that the principal authenticated via the provision of a fixed-line telephone.
AuthenticatedTelephony: Indicates that the principal authenticated via the means of the line number, a user suffix, and a password element.
SecureRemotePassword: This class is applicable when the authentication was performed by means of Secure Remote Password.
TLSClient: This class indicates that the principal authenticated by means of a client certificate, secured with the SSL/TLS transport.
TimeSyncToken: This is applicable when a principal authenticates through a time synchronization token.
Unspecified: This indicates that the authentication was performed by unspecified means.
Windows: This indicates that Windows integrated authentication is utilized for authentication.
Possible values = InternetProtocol, InternetProtocolPassword, Kerberos, MobileOneFactorUnregistered, MobileTwoFactorUnregistered, MobileOneFactorContract, MobileTwoFactorContract, Password, PasswordProtectedTransport, PreviousSession, X509, PGP, SPKI, XMLDSig, Smartcard, SmartcardPKI, SoftwarePKI, Telephony, NomadTelephony, PersonalTelephony, AuthenticatedTelephony, SecureRemotePassword, TLSClient, TimeSyncToken, Unspecified, Windows
samlbinding<String>Read-writeThis element specifies the transport mechanism of saml messages.
Default value: POST
Possible values = REDIRECT, POST, ARTIFACT
attributeconsumingserviceindex<Double>Read-writeIndex/ID of the attribute specification at Identity Provider (IdP). IdP will locate attributes requested by SP using this index and send those attributes in Assertion.
Default value: 255
Minimum value = 0
Maximum value = 255
sendthumbprint<String>Read-writeOption to send thumbprint instead of x509 certificate in SAML request.
Default value: OFF
Possible values = ON, OFF
enforceusername<String>Read-writeOption to choose whether the username that is extracted from SAML assertion can be edited in login page while doing second factor.
Default value: ON
Possible values = ON, OFF
logouturl<String>Read-writeSingleLogout URL on IdP to which logoutRequest will be sent on Citrix ADC session cleanup.
artifactresolutionserviceurl<String>Read-writeURL of the Artifact Resolution Service on IdP to which Citrix ADC will post artifact to get actual SAML token.
skewtime<Double>Read-writeThis option specifies the allowed clock skew in number of minutes that Citrix ADC ServiceProvider allows on an incoming assertion. For example, if skewTime is 10, then assertion would be valid from (current time - 10) min to (current time + 10) min, ie 20min in all.
Default value: 5
logoutbinding<String>Read-writeThis element specifies the transport mechanism of saml logout messages.
Default value: POST
Possible values = REDIRECT, POST
forceauthn<String>Read-writeOption that forces authentication at the Identity Provider (IdP) that receives Citrix ADC's request.
Default value: OFF
Possible values = ON, OFF
groupnamefield<String>Read-writeName of the tag in assertion that contains user groups.
audience<String>Read-writeAudience for which assertion sent by IdP is applicable. This is typically entity name or url that represents ServiceProvider.
metadataurl<String>Read-writeThis URL is used for obtaining saml metadata.
metadatarefreshinterval<Double>Read-writeInterval in minutes for fetching metadata from specified metadata URL.
Default value: 36000
storesamlresponse<String>Read-writeOption to store entire SAML Response through the life of user session.
Default value: OFF
Possible values = ON, OFF
metadataimportstatus<String>Read-onlyDescribes metadata import status.
Default value: SUCCESS
Possible values = INIT, SUCCESS, FAIL
__count<Double>Read-onlycount parameter

Operations

(click to see Properties)

ADD| DELETE| UPDATE| UNSET| GET (ALL)| GET| COUNT

Some options that you can use for each operations:

  • Getting warnings in response:NITRO allows you to get warnings in an operation by specifying the "warning" query parameter as "yes". For example, to get warnings while connecting to the Citrix ADC appliance, the URL is as follows:

    http://<Citrix-ADC-IP-address(NSIP)>/nitro/v1/config/login?warning=yes

    If any, the warnings are displayed in the response payload with the HTTP code "209 X-NITRO-WARNING".

  • Authenticated access for individual NITRO operations:NITRO allows you to logon to the Citrix ADC appliance to perform individual operations. You can use this option instead of creating a NITRO session (using the login object) and then using that session to perform all operations,

    To do this, you must specify the username and password in the request header of the NITRO request as follows:

    X-NITRO-USER:<username>

    X-NITRO-PASS:<password>

    Note:In such cases, make sure that the request header DOES not include the following:

    Cookie:NITRO_AUTH_TOKEN=<tokenvalue>

Note:

Mandatory parameters are marked in redand placeholder content is marked in <green>.

add

URL:http://<Citrix-ADC-IP-address(NSIP)>/nitro/v1/config/authenticationsamlaction

HTTP Method:POST

Request Headers:

Cookie:NITRO_AUTH_TOKEN=<tokenvalue> Content-Type:application/json

Request Payload:

{"authenticationsamlaction":{
<b>"name":<String_value>,
</b>"samlidpcertname":<String_value>,
"samlsigningcertname":<String_value>,
"samlredirecturl":<String_value>,
"samlacsindex":<Double_value>,
"samluserfield":<String_value>,
"samlrejectunsignedassertion":<String_value>,
"samlissuername":<String_value>,
"samltwofactor":<String_value>,
"defaultauthenticationgroup":<String_value>,
"attribute1":<String_value>,
"attribute2":<String_value>,
"attribute3":<String_value>,
"attribute4":<String_value>,
"attribute5":<String_value>,
"attribute6":<String_value>,
"attribute7":<String_value>,
"attribute8":<String_value>,
"attribute9":<String_value>,
"attribute10":<String_value>,
"attribute11":<String_value>,
"attribute12":<String_value>,
"attribute13":<String_value>,
"attribute14":<String_value>,
"attribute15":<String_value>,
"attribute16":<String_value>,
"attributes":<String_value>,
"signaturealg":<String_value>,
"digestmethod":<String_value>,
"requestedauthncontext":<String_value>,
"authnctxclassref":<String[]_value>,
"samlbinding":<String_value>,
"attributeconsumingserviceindex":<Double_value>,
"sendthumbprint":<String_value>,
"enforceusername":<String_value>,
"logouturl":<String_value>,
"artifactresolutionserviceurl":<String_value>,
"skewtime":<Double_value>,
"logoutbinding":<String_value>,
"forceauthn":<String_value>,
"groupnamefield":<String_value>,
"audience":<String_value>,
"metadataurl":<String_value>,
"metadatarefreshinterval":<Double_value>,
"storesamlresponse":<String_value>
}}

Response:

HTTP Status Code on Success: 201 Created HTTP Status Code on Failure: 4xx <string> (for general HTTP errors) or 5xx <string> (for Citrix ADC specific errors). The response payload provides details of the error

delete

URL:http://<Citrix-ADC-IP-address(NSIP)>/nitro/v1/config/authenticationsamlaction/name_value<String>

HTTP Method:DELETE

Request Headers:

Cookie:NITRO_AUTH_TOKEN=<tokenvalue>

Response:

HTTP Status Code on Success: 200 OK HTTP Status Code on Failure: 4xx <string> (for general HTTP errors) or 5xx <string> (for Citrix ADC specific errors). The response payload provides details of the error

update

URL:http://<Citrix-ADC-IP-address(NSIP)>/nitro/v1/config/authenticationsamlaction

HTTP Method:PUT

Request Headers:

Cookie:NITRO_AUTH_TOKEN=<tokenvalue> Content-Type:application/json

Request Payload:

{"authenticationsamlaction":{
<b>"name":<String_value>,
</b>"samlidpcertname":<String_value>,
"samlsigningcertname":<String_value>,
"samlredirecturl":<String_value>,
"samlacsindex":<Double_value>,
"samluserfield":<String_value>,
"samlrejectunsignedassertion":<String_value>,
"samlissuername":<String_value>,
"samltwofactor":<String_value>,
"defaultauthenticationgroup":<String_value>,
"attribute1":<String_value>,
"attribute2":<String_value>,
"attribute3":<String_value>,
"attribute4":<String_value>,
"attribute5":<String_value>,
"attribute6":<String_value>,
"attribute7":<String_value>,
"attribute8":<String_value>,
"attribute9":<String_value>,
"attribute10":<String_value>,
"attribute11":<String_value>,
"attribute12":<String_value>,
"attribute13":<String_value>,
"attribute14":<String_value>,
"attribute15":<String_value>,
"attribute16":<String_value>,
"attributes":<String_value>,
"signaturealg":<String_value>,
"digestmethod":<String_value>,
"requestedauthncontext":<String_value>,
"authnctxclassref":<String[]_value>,
"samlbinding":<String_value>,
"attributeconsumingserviceindex":<Double_value>,
"sendthumbprint":<String_value>,
"enforceusername":<String_value>,
"logouturl":<String_value>,
"artifactresolutionserviceurl":<String_value>,
"skewtime":<Double_value>,
"logoutbinding":<String_value>,
"forceauthn":<String_value>,
"groupnamefield":<String_value>,
"audience":<String_value>,
"metadataurl":<String_value>,
"metadatarefreshinterval":<Double_value>,
"storesamlresponse":<String_value>
}}

Response:

HTTP Status Code on Success: 200 OK HTTP Status Code on Failure: 4xx <string> (for general HTTP errors) or 5xx <string> (for Citrix ADC specific errors). The response payload provides details of the error

unset

URL:http://<Citrix-ADC-IP-address(NSIP)>/nitro/v1/config/authenticationsamlaction?action=unset

HTTP Method:POST

Request Headers:

Cookie:NITRO_AUTH_TOKEN=<tokenvalue> Content-Type:application/json

Request Payload:

{"authenticationsamlaction":{
<b>"name":<String_value>,
</b>"samlsigningcertname":true,
"samlredirecturl":true,
"samlacsindex":true,
"samluserfield":true,
"samlrejectunsignedassertion":true,
"samlissuername":true,
"samltwofactor":true,
"defaultauthenticationgroup":true,
"attribute1":true,
"attribute2":true,
"attribute3":true,
"attribute4":true,
"attribute5":true,
"attribute6":true,
"attribute7":true,
"attribute8":true,
"attribute9":true,
"attribute10":true,
"attribute11":true,
"attribute12":true,
"attribute13":true,
"attribute14":true,
"attribute15":true,
"attribute16":true,
"attributes":true,
"signaturealg":true,
"digestmethod":true,
"requestedauthncontext":true,
"authnctxclassref":true,
"samlbinding":true,
"attributeconsumingserviceindex":true,
"sendthumbprint":true,
"enforceusername":true,
"logouturl":true,
"artifactresolutionserviceurl":true,
"skewtime":true,
"logoutbinding":true,
"forceauthn":true,
"groupnamefield":true,
"audience":true,
"metadataurl":true,
"metadatarefreshinterval":true,
"storesamlresponse":true
}}

Response:

HTTP Status Code on Success: 200 OK HTTP Status Code on Failure: 4xx <string> (for general HTTP errors) or 5xx <string> (for Citrix ADC specific errors). The response payload provides details of the error

get (all)

URL:http://<Citrix-ADC-IP-address(NSIP)>/nitro/v1/config/authenticationsamlaction

Query-parameters:

attrs

http://<Citrix-ADC-IP-address(NSIP)>/nitro/v1/config/authenticationsamlaction?attrs=property-name1,property-name2

Use this query parameter to specify the resource details that you want to retrieve.

filter

http://<Citrix-ADC-IP-address(NSIP)>/nitro/v1/config/authenticationsamlaction?filter=property-name1:property-val1,property-name2:property-val2

Use this query-parameter to get the filtered set of authenticationsamlaction resources configured on Citrix ADC. Filtering can be done on any of the properties of the resource.

view

http://<Citrix-ADC-IP-address(NSIP)>/nitro/v1/config/authenticationsamlaction?view=summary

Note:By default, the retrieved results are displayed in detail view (?view=detail).

pagination

http://<Citrix-ADC-IP-address(NSIP)>/nitro/v1/config/authenticationsamlaction?pagesize=#no;pageno=#no

Use this query-parameter to get the authenticationsamlaction resources in chunks.

HTTP Method:GET

Request Headers:

Cookie:NITRO_AUTH_TOKEN=<tokenvalue> Accept:application/json

Response:

HTTP Status Code on Success: 200 OK HTTP Status Code on Failure: 4xx <string> (for general HTTP errors) or 5xx <string> (for Citrix ADC specific errors). The response payload provides details of the errorResponse Headers:

Content-Type:application/json

Response Payload:

{ "authenticationsamlaction": [ {
"name":<String_value>,
"samlidpcertname":<String_value>,
"samlsigningcertname":<String_value>,
"samlredirecturl":<String_value>,
"samlacsindex":<Double_value>,
"samluserfield":<String_value>,
"samlrejectunsignedassertion":<String_value>,
"samlissuername":<String_value>,
"samltwofactor":<String_value>,
"defaultauthenticationgroup":<String_value>,
"attribute1":<String_value>,
"attribute2":<String_value>,
"attribute3":<String_value>,
"attribute4":<String_value>,
"attribute5":<String_value>,
"attribute6":<String_value>,
"attribute7":<String_value>,
"attribute8":<String_value>,
"attribute9":<String_value>,
"attribute10":<String_value>,
"attribute11":<String_value>,
"attribute12":<String_value>,
"attribute13":<String_value>,
"attribute14":<String_value>,
"attribute15":<String_value>,
"attribute16":<String_value>,
"attributes":<String_value>,
"signaturealg":<String_value>,
"digestmethod":<String_value>,
"requestedauthncontext":<String_value>,
"authnctxclassref":<String[]_value>,
"samlbinding":<String_value>,
"attributeconsumingserviceindex":<Double_value>,
"sendthumbprint":<String_value>,
"enforceusername":<String_value>,
"logouturl":<String_value>,
"artifactresolutionserviceurl":<String_value>,
"skewtime":<Double_value>,
"logoutbinding":<String_value>,
"forceauthn":<String_value>,
"groupnamefield":<String_value>,
"audience":<String_value>,
"metadataurl":<String_value>,
"metadatarefreshinterval":<Double_value>,
"metadataimportstatus":<String_value>,
"storesamlresponse":<String_value>
}]}

get

URL:http://<Citrix-ADC-IP-address(NSIP)>/nitro/v1/config/authenticationsamlaction/name_value<String>

Query-parameters:

attrs

http://<Citrix-ADC-IP-address(NSIP)>/nitro/v1/config/authenticationsamlaction/name_value<String>?attrs=property-name1,property-name2

Use this query parameter to specify the resource details that you want to retrieve.

view

http://<Citrix-ADC-IP-address(NSIP)>/nitro/v1/config/authenticationsamlaction/name_value<String>?view=summary

Note:By default, the retrieved results are displayed in detail view (?view=detail).

HTTP Method:GET

Request Headers:

Cookie:NITRO_AUTH_TOKEN=<tokenvalue> Accept:application/json

Response:

HTTP Status Code on Success: 200 OK HTTP Status Code on Failure: 4xx <string> (for general HTTP errors) or 5xx <string> (for Citrix ADC specific errors). The response payload provides details of the errorResponse Headers:

Content-Type:application/json

Response Payload:

{ "authenticationsamlaction": [ {
"name":<String_value>,
"samlidpcertname":<String_value>,
"samlsigningcertname":<String_value>,
"samlredirecturl":<String_value>,
"samlacsindex":<Double_value>,
"samluserfield":<String_value>,
"samlrejectunsignedassertion":<String_value>,
"samlissuername":<String_value>,
"samltwofactor":<String_value>,
"defaultauthenticationgroup":<String_value>,
"attribute1":<String_value>,
"attribute2":<String_value>,
"attribute3":<String_value>,
"attribute4":<String_value>,
"attribute5":<String_value>,
"attribute6":<String_value>,
"attribute7":<String_value>,
"attribute8":<String_value>,
"attribute9":<String_value>,
"attribute10":<String_value>,
"attribute11":<String_value>,
"attribute12":<String_value>,
"attribute13":<String_value>,
"attribute14":<String_value>,
"attribute15":<String_value>,
"attribute16":<String_value>,
"attributes":<String_value>,
"signaturealg":<String_value>,
"digestmethod":<String_value>,
"requestedauthncontext":<String_value>,
"authnctxclassref":<String[]_value>,
"samlbinding":<String_value>,
"attributeconsumingserviceindex":<Double_value>,
"sendthumbprint":<String_value>,
"enforceusername":<String_value>,
"logouturl":<String_value>,
"artifactresolutionserviceurl":<String_value>,
"skewtime":<Double_value>,
"logoutbinding":<String_value>,
"forceauthn":<String_value>,
"groupnamefield":<String_value>,
"audience":<String_value>,
"metadataurl":<String_value>,
"metadatarefreshinterval":<Double_value>,
"metadataimportstatus":<String_value>,
"storesamlresponse":<String_value>
}]}

count

URL:http://<Citrix-ADC-IP-address(NSIP)>/nitro/v1/config/authenticationsamlaction?count=yes

HTTP Method:GET

Request Headers:

Cookie:NITRO_AUTH_TOKEN=<tokenvalue> Accept:application/json

Response:

HTTP Status Code on Success: 200 OK HTTP Status Code on Failure: 4xx <string> (for general HTTP errors) or 5xx <string> (for Citrix ADC specific errors). The response payload provides details of the errorResponse Headers:

Content-Type:application/json

Response Payload:

{ "authenticationsamlaction": [ { "__count": "#no"} ] }