Jump to content
Welcome to our new Citrix community!

nFactor to Azure SAML conditional access

Paul Reno

Recommended Posts

I'm stuck, I have nFactor where it is rolling up through getting the username and password and group extraction, however when sending the SAML request I appear to be loosing the credentials. If I only use SAML without nFactor authentication works and my FAS server does what it should and I can launch my applications, but that user experience is less than ideal.  We need to be able to display the login screen my users are used to the get MFA from the SAML provider, which in my case is AzureAD.  


factor 1 - get username

factor 2 - ${HTTP.REQ.USER.NAME}/get password

factor 3 - SAML


on domain joined workstations factor 3 picks up the identity of the person logged in on that workstation regardless of what I enter in factor 1/2. 


Any help would be appreciated. Thank you. 

Link to comment
Share on other sites

Seems your policies  are not ordered correctly. As Azure MFA is the identity Provider, it should be the first factor. 


Can't you do Saml first, so that the user authenticates at the IDP and username(UPN) is returned as the nameid, then use that to sso to Storefront (FAS) takes care of the rest. 


Or you can also force the user for ldap auth post Saml and then NS can SSO to storefront. 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...