Jump to content
Welcome to our new Citrix community!

SAML SSO - Multiple SP to single vserver with varying auth requirements by SP

Daniel Dallmann

Recommended Posts

I'd like to be able to do something like these two articles combined, have one primary interface for multiple SP (article for this already) BUT also do something like in the second article where you can have SSO between single factor group and 2fa group. So if you have 2FA already established to for another SAML SP you can then access other saml single factor apps, if you have single factor saml auth then you need to elevate for a 2fa app.


I've seen people use Referral headers to identify the SP but I've found that inconsistent, I also don't see a way to extract SAML Issuer via expression.


One Public IP for AAA-TM Deployments on NetScaler



Configure Citrix Gateway for applications with different login site requirements including setup authentication


Link to comment
Share on other sites

To confirm: are you trying to bind multiple SAML IdP profiles to your AAA server, and not sure how to handle them because you can't use the "Referer" header?


There's a very obscure way to accomplish this by having your policy expression set to "true" with your IdP profile having a service provider ID of that which will match the SP issuer/entity. Then you need to bind multiple policies like this with gotoexpression = NEXT, and this can only be done from the command line.


I know I've seen a CTX where this is mentioned, and it's come up in the forums a couple of times. If I recall, @Siddhartha Sarmah is the one who had info on it. I just tried searching for it for the last 15 minutes and came up with nothing...frustrating! But we are doing this in our environment and it is working.


It would be great if it were better documented, and if it were also possible to do through the GUI.

Link to comment
Share on other sites

Thanks guys. Yes, this provides a way of having single interface for SAML but what if you want to have different auth requirements for specific ones like in the second article I listed.


External apps with two factor sessions (SSO) grant access to single factor apps, but a single factor session must be elevated to two factor session level to access two factor apps. Referral is the only way I know for getting info about where the request originated in the SAML auth process but I've seen issues with this depending on browsers and they don't include the info which makes it unreliable.

Link to comment
Share on other sites

I opened feature enhancement NSHELP-19764 in early June for being able to use SAML attributes in policy expressions. I am following up to see the status on it as I haven't heard anything or seen it in release notes. I would recommend opening a case and referencing the same ID to help it gain visibility.


Similar thread here: https://discussions.citrix.com/topic/403342-rewrite-action-using-saml-attributes/

Link to comment
Share on other sites

  • 3 weeks later...
  • 2 months later...

They closed mine off, they ended up with "why would you want to do that, doesn't that defeat the purpose of SSO? (i.e. Login Once)" They suggested using the Referral method and multi vservers and all kinds, which defeats the purpose... I mentioned it being a feature request but based on they wanted to close it off that it wasn't an option. I don't feel like fighting this battle.

  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...