Ideally it would be perfect if we could pass over the password as well.
Citrix mentioned the SAML response generated by NetScaler Gateway virtual server could contain password. The vpn SAML profile can have a parameter called "sendpassword". Please see the details in How to Configure SAML SSO Authentication between NetScaler Gateway and Load Balancing Virtual Servers. It implies NetScaler supports the password pass-over, internally at least.
I was very curious if the third-party IDP could take the advantage, so I dug into NetScaler module.
The SAML response generated by NetScaler itself contains password attribute.
<saml2:Attribute Name="password" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">the encrypted password</saml2:AttributeValue></saml2:Attribute>
How is the password encrypted? If the third-party IDP follows the rule, it may be able to pass over the password!
The password is actually scrambled by vpn_global_key, which is initialized randomly during system boots up.
ns_sslvpn_copy_passwd(char* srcpass, char* dstpass, unsigned int len)
{
for (int i = 0; i < len; ++i )
dstpass[i] = srcpass[i] ^ vpn_global_key[i];
}
In ns_aaa_saml_auth, the password (if it exists) is restored.
if ( (unsigned int)(len - 1) <= 0x7E )
{
ns_sslvpn_copy_passwd(src, dst, len);
}
Unfortunately, I don't think there is a way to transmit the vpn_global_key over SAML Request which is the only way the IDP get the information from NetScaler, so my conclusion is, currently it is impossible for the third-party IDP to pass over a valid password value to NetScaler.
No comments:
Post a Comment