Jump to content
Updated Privacy Statement

Rewrite Action using SAML attributes

Recommended Posts

I have a https service behind a LB vserver. I am authenticating it using an external SAML IDP bound to a AAA vserver. Everything works great, however I need to enrich the request with a http header using a variable coming from the SAML assertation (user group). When I'm calling on the user attributes (ex: HTTP.REQ.USER.ATTRIBUTE(1)); the value is always blank. Is this something that can be done? I've seen documentation about being able to use LDAP attributes in this way but haven't seen the same for SAML, I guessed it should be applicable for SAML too (https://support.citrix.com/article/CTX200342).


Version: Citrix VPX 11.1


Relevant code:


add lb vserver lb-vs-https SSL 443 -persistenceType NONE -cltTimeout 180 -AuthenticationHost -Authentication ON -authnVsName aaa-vs-tst

add rewrite policy rw-pl-1 true rw-act-1 -logAction logaction-1

add rewrite action rw-act-1 insert_http_header Remote_User Remote_User "HTTP.REQ.USER.ATTRIBUTE(1)"

bind lb vserver lb-vs-https -policyName rw-pl-1 -priority 110 -gotoPriorityExpression END -type REQUEST

add authentication samlAction saml-redirect-tst -samlIdPCertName cloudsso-test -samlRedirectUrl "https://cloudsso-test.example.com/idp/SSO.saml2" -samlUserField userid -samlIssuerName sso-lab -Attribute1 NameID -signatureAlg RSA-SHA256 -digestMethod SHA256 -enforceUserName OFF -logoutURL "https://cloudsso-test.example.com/idp/SLO.saml2"


Any help appreciated.


Link to comment
Share on other sites

Funny timing. I just recently wanted to do something similar (nfactor policies based on SAML attributes). I have a case open with Citrix and this morning they informed me this is not currently possible. I'm seeing what I can do to have them add support for it.

  • Like 1
Link to comment
Share on other sites

  • 5 months later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...