Citrix NetScaler SAML


Multi-factor authentication (MFA) is an extra layer of security used when logging into websites or apps in which individuals are authenticated through more than one required security and validation procedure that only you know or have access to.

Citrix NetScaler is an application delivery and load balancing solution that provides a high-quality user experience for your web, traditional, and cloud-native applications regardless of where they are hosted. Acceptto as a Citrix Ready Partner offers a simple method for adding MFA to Citrix NetScaler via its SAML solution.

  1. An Acceptto Appliance connected to your user directory (for example MicrosoftTM ‘Active Directory™’).
  2. The user population that is going to be authenticated via SAML must be enrolled in the It’s Me mobile application.
  3. A user with administrative privileges for NetScaler.
  4. A user with administrative privileges for the Acceptto Appliance.
Acceptto SAML Configuration as Identity Provider (IdP)
  1. Login to the Acceptto appliance admin panel with an administrative account and go to Applications.
  2. Create a new application by selecting the Create New Application.
  3. In the Add Application dialog, enter the following values:
    • App Name - The application name displayed in the admin panel and application portal (e.g. NetScaler)
    • Issuer or Entity ID - The Issuer/EntityID of your NetScaler instance (e.g.
    • Sign in URL - The link used by your users to access the NetScaler (e.g.
    • Metadata URL - The URL containing metadata about your NetScaler instance (e.g. )

    You can find this information via SAML server configuration in your NetScaler instance on Citrix gateway > Policies > Authentication > Servers

    admin panel app settings
  4. Click Save to create the Application.
  5. Select the Show ID Provider Data and copy the information shown on this page.
NetScaler Configuration
  1. Login to your Citrix NetScaler with an administrative account.
  2. Navigate to Traffic Management > SSL > SSL Certificate.
  3. Upload the X.509 certificate file you got from Acceptto SAML Appliance earlier.
  4. SSH to NetScaler and insert the following command (Change the values based on your configurations):
  5. add authentication samlaction {NAME} -samlIDPCertName {IDP Certificate Name} 
    -samlSigningCertName {Signing Certificate Name} -samlredirectUrl {Redirect URL}

    For example, the command could be:

    add authentication samlaction SAML-Acceptto -samlIDPCertName SAML-Acceptto
    -samlSigningCertName lab-acceptto-com.pfx_CERT_KEY -samlredirectUrl
  6. Navigate to the Configuration tab, and select Citrix Gateway from the menu and select Policies > Authentication> SAML.
  7. Select the Policies tab and click ADD. Then, fill the items like the following image and click Ok.
  8. Go to the Citrix Gateway > Virtual Servers and select the virtual server you want to add SAML authentication to it and click Edit.
  9. Go to Basic Authentication and choose SAML as a Primary policy and click Continue. Then, select the SAML policy created earlier and click Bind and Done.
Test your setup
  1. Go to your Citrix Gateway Virtual Server link you got from the previous section. You will be redirected to the Acceptto SAML page.
  2. After successful authentication, you’ll see the Acceptto MFA options, select your desired method. Next, pass the verification stage on your It’sMe mobile app.
  3. Finally, you will be redirected to your Netscaler landing page.

If you require assistance, please email us at


Want to learn more about our MFA solutions? Contact our Professional Services for a Demo today.


All product names, trademarks, and registered trademarks are the property of their respective owners.
All company, product, and service names used in this document are for identification purposes only. Use of these names, trademarks, and brands does not constitute endorsement by the Acceptto Corporation.
Citrix and NetScaler are either registered trademarks or trademarks of Citrix and/or one or more of its subsidiaries in the United States and/or other countries.
Microsoft and 'Active Directory' are either registered trademarks or trademarks of Microsoft and/or one or more of its subsidiaries in the United States and/or other countries.