Missing documentation on the SAML Authentication

[enov]

Missing documentation on the SAML Authentication

https://github.com/netscaler/netscaler-k8s-ingress-controller/blob/master/crd/auth/README.md#saml-authentication https://docs.netscaler.com/en-us/netscaler-k8s-ingress-controller/crds/auth#saml-authentication

The section needs to be rewritten with SAML vocabulary in mind. Some questions:

• metadata_url and metadata_refresh_interval: Do these relate to the IdP metadata?
• audience and issuer_name: Which one of those is the SP entityID? What does the other field represent?
• attributes_to_save and SAML NameID: Are we going to retrieve the identity/username (SAML NameID) of the logged in user via an HTTP request header from the request sent to the backend application? Can we specify a SAML NameIDFormat?

[enov]

Are we going to retrieve the identity/username (SAML NameID) of the logged in user via an HTTP request header from the request sent to the backend application?

I am still trying to figure out the SAML auth. What I am mostly worried about is not knowing who logged into the application. I expect that the Netscaler augments the incoming request with headers like X-Forwarded-User, X-Forwarded-Email or maybe X-Forwarded-NameID (if we want to follow SAML jargon). Should I create a feature request if not?

[subashd]

hi @enov We kindly request you to fill out Requirement Gathering Questionnaire

[enov]

Done

[enov]

@subashd could you point me to another documentation where I can find more information about using SAML with the Netscaler Ingress? The most pressing questions I have:

• audience and issuer_name: Which one of those acts as the SP entityID?
• What is the expected SAML NameID type?
• Are we going to get the authenticated NameID and other attributes from the Ingress Controller as added headers in the request?

[arijitr-citrix]

@enov Below is the response. audience and issuer_name: Which one of those acts as the SP entityID?

What is the expected SAML NameID type? Generally Netscaler when act as IDP, uses below format: Username Are we going to get the authenticated NameID and other attributes from the Ingress Controller as added headers in the request? Please note that NetScaler Ingress Controller's auth CRD does not configure IDP. Please let us know if further help us needed.