Jump to content
Welcome to our new Citrix community!

Feed attributes from SAML claim to KCD or Session Profile

Citrix TEAM

Recommended Posts



I currently have the following setup

1 CS

1 LB bound to the CS that exposes a webservice

1 LB bound to the CS that exposes a WebUI

1 GW bound to the CS that exposes a storefront


The GW does the auth (SAML) for both the LBs and the GW itself. "Login Once" has been enabled and Storefront "fully delegates" auth to Netscaler.

Kerberos being needed for the webservice-LB, there is a KCD account in a traffic profile bound to that LB.


The Kerberos part works if I return the sAMAccountName in the SAML claim but not Storefront.

The Storefront part works if I return the UPN in the SAML claim but not Kerberos.


I have been able to return both the UPN and the sAMAccountName at the same time in the SAML claim and extract them using the SAML Profile. But I can't find a way to feed these either to the KCD account object or to the Session Profile.


Is there any way that I wouldn't be aware of to feed these extracted values as a user logon name to these policies/profiles ?

Or is there another way to work around this issue ?

Link to comment
Share on other sites

Hello again,


I got it to work with a bit of inspiration from one of Carl's articles <3



I setup my SAML claim to return the samaccountname as "NameID" and the UPN in an attribute.

The NameID is picked up by the KCD part without doing anything else.

For the storefront part to work, I created a traffic profile/policy bound to the NSGW that overrides the User Name with HTTP.REQ.USER.ATTRIBUTE().

  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...