Jump to content
Welcome to our new Citrix community!

need some advice setting up auth flow with sso


Recommended Posts

Hi all, 

 

I am setting up a authentication flow according to the image attached.

 

User hits the virtualserver.

If user client ip = x.x.x.x 

apply SSO without login and give access to application

else 

require LDAP authentication and disable SSO.

 

Any advice on how to accomplish this? 

I was hoping to solve everything using nfactor, but the more i check I feel that i might have to use content switching to solve the match ip part.

 

 

flow.JPG

Link to comment
Share on other sites

This won't work, if I understand correctly. Filtering a traffic policy, containing a SSO profile, on certain IP addresses is no problem of course, but how could you SSO someone you don't know? This is SSO, single sign on, not NSO, no sign on. So you will always need some sign on.

 

Greetings from Austria

 

Johannes Norz

CTA, CCI, CCE-N

Link to comment
Share on other sites

1 minute ago, Johannes Norz said:

This won't work, if I understand correctly. Filtering a traffic policy, containing a SSO profile, on certain IP addresses is no problem of course, but how could you SSO someone you don't know? This is SSO, single sign on, not NSO, no sign on. So you will always need some sign on.

 

Greetings from Austria

 

Johannes Norz

CTA, CCI, CCE-N

I agree. I hope that the applications the users will have access to will trust domain authenticated users and remove the SSO part all together. 

 

One thought I have would be to check the certificate for the internal users, but dont know if I can extract AD info without the users supplying login info.

Link to comment
Share on other sites

14 minutes ago, Kim Henriksen said:

One thought I have would be to check the certificate for the internal users, but dont know if I can extract AD info without the users supplying login info.

 

Well, of course you can. But SSO is usually using user-name / password to log on to backend resources. You can't pass through a certificate to backend servers. So you need to do some kind of impersonation. This is called FAS and is somewhat like complex.

 

Are your users domain users? re they already logged on to the domain? In this case you might use Kerberos or NT-LANManager to log on to backend resources.

 

Greetings from Austria

 

Johannes Norz

CTA, CCI, CCE-N

  • Like 1
Link to comment
Share on other sites

1 hour ago, Johannes Norz said:

 

Well, of course you can. But SSO is usually using user-name / password to log on to backend resources. You can't pass through a certificate to backend servers. So you need to do some kind of impersonation. This is called FAS and is somewhat like complex.

 

Are your users domain users? re they already logged on to the domain? In this case you might use Kerberos or NT-LANManager to log on to backend resources.

 

Greetings from Austria

 

Johannes Norz

CTA, CCI, CCE-N

You´re right. I do believe they are yes, so for me the best solution according to me would be to let the applications themselves handle the auth part and just let internal yours pass directly to the application.

 

Update: So I have now these two solution to go with.

flow_2.JPG

Edited by Kim Henriksen
New information.
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...