OAuth IDP with NetScaler

NetScaler can act as an OAuth IDP. This describes how a simple Python OAuth client can make use of it.

Step

  1. Download oauthc.py and save it to a directory named cgi-bin
  2. Edit the script and adjust these constants to match your environment:
    redirect_uri  = "http://WEBSERVER:8000/cgi-bin/oauthc.py"
    idp_login_url = "https://AUTH_VSERVER/oauth/idp/login"
    idp_token_url = "https://AUTH_VSERVER/oauth/idp/token"
    idp_info_url  = "https://AUTH_VSERVER/oauth/idp/userinfo"
    
  3. On the NetScaler, create an OAuth IDP profile under Security -> AAA - Application Traffic -> Policies -> Authentication -> Advanced Policies -> OAuth IDP -> Profiles with at least these values:
    Name:my_oauth_idp_profile
    Client ID:oauthc
    Client Secret:secret
    Redirect URL:http://WEBSERVER:8000/cgi-bin/oauthc.py

  4. On the tab Policies, create an OAuth IDP policy with these values:
    Name:my_oauth_idp_policy
    Action:my_oauth_idp_profile
    Expression:true

  5. Bind my_oauth_idp_policy to your authentication vserver along with at least one authentication policy, e.g. an LDAP or local users or such one
  6. On the NetScaler's command line, bind the authentication vserver's SSL certificate globally:
    > bind vpn global -certkeyName Name_of_the_SSL_certificate_bound_to_the_auth_vserver
    
  7. In the directory containing cgi-bin, start python's simple cgi webserver, e.g.:
    $ python2 -m CGIHTTPServer
    
    Or with Python 3:
    $ python3 -m http.server --cgi
    
  8. Open the redirect_uri in your webbrowser.