Jump to content
Welcome to our new Citrix community!

Question about SSON when setting up nFactor for Gateway to use AD auth followed by Azure MFA


Recommended Posts

I have a Citrix Gateway which is setup to use nFactor auth as follows;

1st factor: EULA accept

2nd factor: LDAP on prem AD auth

I now need to add Azure MFA after the LDAP auth so I am going to setup an Azure Enterprise app and setup the NetScaler with a SAML server and policy which I can add as a 3rd factor to the nFactor flow.

What I am not sure about is SSON and passing credentials to the VDA and how best to achieve this. I'm thinking that I should setup Citrix FAS as the solution but I don't know if this is the right way to proceed. Another option which occurs to me is whether I can use the username and password from the 2nd factor with a traffic policy.

Any thoughts or assistance greatly appreciated.

Many thanks.

Link to comment
Share on other sites

Hello Gordon,

You do not need FAS in this scenario as NetScaler is credential aware since 2nd Factor LDAP auth takes place on NetScaler.

In order to pass on credentials from 2nd Factor in SSO please enable SSO option on login Schema bound to 2nd Factor as below:

image.thumb.png.e725ccb087101606fc90597b0b7a1f7e.png 

Thanks and regards,

Hemang

Link to comment
Share on other sites

So putting together an nFactor flow for the following;

1st Factor - EULA accpt

2nd Factor LDAP auth

Group membership check to determine if Azure MFA is required

3rd Factor - Azure MFA (SAML) if member of MFA group / No further auth if not member of MFA group.

I have put together the following flow on a test VPX (ignore the Schema profiles) but I'm not convinced it's right, Is anyone with good knowledge of nFactor able to comment.

# ** nFactor Visualizer 

# ** ------------------ 

# ** AAA vserver: desktop-nFactor-aaa

# **  Adv Authn Policy = noAuth

# **    Priority = 100

# **    Rule = true

# **    Action = NO_AUTHN

# **    Goto if failed = NEXT

# **    Next Factor if Success = EULA-desktop-pl

# **     Login Schema Profile = LSCHEMA_INT

# **     Adv Authn Policy = EULA-accept-auth

# **       Priority = 100

# **       Rule = true

# **       Action = NO_AUTHN

# **       Goto if failed = NEXT

# **       Next Factor if Success = LDAP-desktop-pl

# **        Login Schema Profile = LSCHEMA_INT

# **        Adv Authn Policy = ldap-auth_pol

# **          Priority = 100

# **          Rule = true

# **          Action = ldapAction named ldap-auth

# **          Goto if failed = NEXT

# **          Next Factor if Success = GrpEx-desktop-pl

# **           Login Schema Profile = GroupExtraction

# **           Login Schema XML = noschema

# **           Adv Authn Policy = mfa-enabled-pol

# **             Priority = 90

# **             Rule = "AAA.USER.IS_MEMBER_OF("MFA_Enabled")"

# **             Action = NO_AUTHN

# **             Goto if failed = NEXT

# **             Next Factor if Success = SAML-desktop-pl

# **              Login Schema Profile = SAML

# **              Login Schema XML = noschema

# **              Adv Authn Policy = gcurry-saml-auth_pol

# **                Priority = 100

# **                Rule = true

# **                Action = samlAction named gcurry-saml-auth

# **                Goto if failed = END

# **           Adv Authn Policy = mfa-notenabled-pol

# **             Priority = 100

# **             Rule = "AAA.USER.IS_MEMBER_OF("MFA_Enabled").NOT"

# **             Action = NO_AUTHN

# **             Goto if failed = END

Many thanks

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...