Question about SSON when setting up nFactor for Gateway to use AD auth followed by Azure MFA

[Gordon Curry]

I have a Citrix Gateway which is setup to use nFactor auth as follows;

1st factor: EULA accept

2nd factor: LDAP on prem AD auth

I now need to add Azure MFA after the LDAP auth so I am going to setup an Azure Enterprise app and setup the NetScaler with a SAML server and policy which I can add as a 3rd factor to the nFactor flow.

What I am not sure about is SSON and passing credentials to the VDA and how best to achieve this. I'm thinking that I should setup Citrix FAS as the solution but I don't know if this is the right way to proceed. Another option which occurs to me is whether I can use the username and password from the 2nd factor with a traffic policy.

Any thoughts or assistance greatly appreciated.

Many thanks.

[Hemang Raval]

Hello Gordon,

You do not need FAS in this scenario as NetScaler is credential aware since 2nd Factor LDAP auth takes place on NetScaler.

In order to pass on credentials from 2nd Factor in SSO please enable SSO option on login Schema bound to 2nd Factor as below:

 

Thanks and regards,

Hemang

[Gordon Curry]

Hi Hemang

Thank you for the response, that is very helpful.

Gordon

[Gordon Curry]

So putting together an nFactor flow for the following;

1st Factor - EULA accpt

2nd Factor LDAP auth

Group membership check to determine if Azure MFA is required

3rd Factor - Azure MFA (SAML) if member of MFA group / No further auth if not member of MFA group.

I have put together the following flow on a test VPX (ignore the Schema profiles) but I'm not convinced it's right, Is anyone with good knowledge of nFactor able to comment.

# ** nFactor Visualizer 

# ** ------------------ 

# ** AAA vserver: desktop-nFactor-aaa

# **  Adv Authn Policy = noAuth

# **    Priority = 100

# **    Rule = true

# **    Action = NO_AUTHN

# **    Goto if failed = NEXT

# **    Next Factor if Success = EULA-desktop-pl

# **     Login Schema Profile = LSCHEMA_INT

# **     Adv Authn Policy = EULA-accept-auth

# **       Priority = 100

# **       Rule = true

# **       Action = NO_AUTHN

# **       Goto if failed = NEXT

# **       Next Factor if Success = LDAP-desktop-pl

# **        Login Schema Profile = LSCHEMA_INT

# **        Adv Authn Policy = ldap-auth_pol

# **          Priority = 100

# **          Rule = true

# **          Action = ldapAction named ldap-auth

# **          Goto if failed = NEXT

# **          Next Factor if Success = GrpEx-desktop-pl

# **           Login Schema Profile = GroupExtraction

# **           Login Schema XML = noschema

# **           Adv Authn Policy = mfa-enabled-pol

# **             Priority = 90

# **             Rule = "AAA.USER.IS_MEMBER_OF("MFA_Enabled")"

# **             Action = NO_AUTHN

# **             Goto if failed = NEXT

# **             Next Factor if Success = SAML-desktop-pl

# **              Login Schema Profile = SAML

# **              Login Schema XML = noschema

# **              Adv Authn Policy = gcurry-saml-auth_pol

# **                Priority = 100

# **                Rule = true

# **                Action = samlAction named gcurry-saml-auth

# **                Goto if failed = END

# **           Adv Authn Policy = mfa-notenabled-pol

# **             Priority = 100

# **             Rule = "AAA.USER.IS_MEMBER_OF("MFA_Enabled").NOT"

# **             Action = NO_AUTHN

# **             Goto if failed = END

Many thanks