Gordon Curry Posted July 21, 2023 Share Posted July 21, 2023 I have a Citrix Gateway which is setup to use nFactor auth as follows;1st factor: EULA accept2nd factor: LDAP on prem AD authI now need to add Azure MFA after the LDAP auth so I am going to setup an Azure Enterprise app and setup the NetScaler with a SAML server and policy which I can add as a 3rd factor to the nFactor flow.What I am not sure about is SSON and passing credentials to the VDA and how best to achieve this. I'm thinking that I should setup Citrix FAS as the solution but I don't know if this is the right way to proceed. Another option which occurs to me is whether I can use the username and password from the 2nd factor with a traffic policy.Any thoughts or assistance greatly appreciated.Many thanks. Link to comment Share on other sites More sharing options...
Hemang Raval Posted July 25, 2023 Share Posted July 25, 2023 Hello Gordon,You do not need FAS in this scenario as NetScaler is credential aware since 2nd Factor LDAP auth takes place on NetScaler.In order to pass on credentials from 2nd Factor in SSO please enable SSO option on login Schema bound to 2nd Factor as below: Thanks and regards,Hemang Link to comment Share on other sites More sharing options...
Gordon Curry Posted July 25, 2023 Author Share Posted July 25, 2023 Hi HemangThank you for the response, that is very helpful.Gordon Link to comment Share on other sites More sharing options...
Gordon Curry Posted July 25, 2023 Author Share Posted July 25, 2023 So putting together an nFactor flow for the following;1st Factor - EULA accpt2nd Factor LDAP authGroup membership check to determine if Azure MFA is required3rd Factor - Azure MFA (SAML) if member of MFA group / No further auth if not member of MFA group.I have put together the following flow on a test VPX (ignore the Schema profiles) but I'm not convinced it's right, Is anyone with good knowledge of nFactor able to comment.# ** nFactor Visualizer # ** ------------------ # ** AAA vserver: desktop-nFactor-aaa# ** Adv Authn Policy = noAuth# ** Priority = 100# ** Rule = true# ** Action = NO_AUTHN# ** Goto if failed = NEXT# ** Next Factor if Success = EULA-desktop-pl# ** Login Schema Profile = LSCHEMA_INT# ** Adv Authn Policy = EULA-accept-auth# ** Priority = 100# ** Rule = true# ** Action = NO_AUTHN# ** Goto if failed = NEXT# ** Next Factor if Success = LDAP-desktop-pl# ** Login Schema Profile = LSCHEMA_INT# ** Adv Authn Policy = ldap-auth_pol# ** Priority = 100# ** Rule = true# ** Action = ldapAction named ldap-auth# ** Goto if failed = NEXT# ** Next Factor if Success = GrpEx-desktop-pl# ** Login Schema Profile = GroupExtraction# ** Login Schema XML = noschema# ** Adv Authn Policy = mfa-enabled-pol# ** Priority = 90# ** Rule = "AAA.USER.IS_MEMBER_OF("MFA_Enabled")"# ** Action = NO_AUTHN# ** Goto if failed = NEXT# ** Next Factor if Success = SAML-desktop-pl# ** Login Schema Profile = SAML# ** Login Schema XML = noschema# ** Adv Authn Policy = gcurry-saml-auth_pol# ** Priority = 100# ** Rule = true# ** Action = samlAction named gcurry-saml-auth# ** Goto if failed = END# ** Adv Authn Policy = mfa-notenabled-pol# ** Priority = 100# ** Rule = "AAA.USER.IS_MEMBER_OF("MFA_Enabled").NOT"# ** Action = NO_AUTHN# ** Goto if failed = ENDMany thanks Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now