Jump to content
Welcome to our new Citrix community!

nFactor Logic not working?

Ryan Fisher

Recommended Posts

Hello.  I'm trying to set up OTP 2 Factor authentication based on AD group membership and things aren't working quite as expected.  Attached is my config parts that pertain to the OTP config.  If you need more of the config let me know and I can post more.  Also attached to this post you'll find a flowchart of how I want the authentication to work.  It's probably easier to look at that to understand what I am trying to do, but I'll try to explain it briefly.  Basically, if a user is not a member of AD group Citrix-2Fa-Users, then they will log in all the way to the app listing from the first login page.  If they are a member of Citrix-2Fa-Users, then it will do a check on AD attribute 7 to see if there's a value.  If there is, then it will take them to another page where they will enter only OTP.  If there is NO value for userParameters (attribute 7), then it will take them to the manageotp page to set up a device.


70% works as expected:


- User NOT member of group, then logs in from first username/password login page and gets application list

- User IS member of group, and DOES have a device set up in attribute 7 (there IS a value in userParameters), the user will be taken to the next page to enter their 2nd factor password


What is NOT working as expected:


- User IS member of group, but does NOT have a value yet in attribute 7 (value of userParameters is <not set>), behavior is that the user gets logged in all the way straight to their application list, instead of being brought to the /manageotp page.


I can't figure out what I'm missing to make that first authentication policy follow the logic that is stated.  I have a case open with support, but they are struggling a little themselves, so I was hoping I could get another set of eyes on this as well.


Some background:  Our organization wants to implement two-factor, but does not want it to be done as a hard cutover, but more gradual.  So we can put people in the AD group as we enroll them as a way to control how fast we implement it.  And I'd like the check to see if the user is already setup and automatically sending the user to /manageotp, because our users aren't going to know what or how to do it if it doesn't happen for them.  I hope that can be done.



otp config cleaned.txt

OTP 2Factor Authentication Flow.jpg

Link to comment
Share on other sites

  • 3 weeks later...
  • 3 weeks later...


This topic is now archived and is closed to further replies.

  • Create New...