Jump to content

nFactor with singleAuth or dualAuth based on src

Recommended Posts



I am fine with nFactor for instance for dual auth ldap+radius. But in a certain case I'm not having a clue on how to do that in one aaa vserver.


Our case:

- 2 SAML IDP Profiles

- for IDP1 users must login with username/Password/radius, and ldap has a search filter for group filtering

- for IDP2 users must login only with username/password, filtered via ldap search filter in another ldap server action


My questions:

- It seems to me that I have to bind two Login Schema, and at least one must not have the "true"-expression in the logon schema policy expression

  --> so I added a 2 factor logon schema (with policy expression true)

        and another login schema 1 factor with some "HTTP.REQ.HOSTNAME..."-expression for displaying the 1FA form if the user connects to the IDP2

- how to bind two login schema, which expressions to use?


Is it even possible to have more than one advanced authentication policies, with different expression for different use-cases (2fa, 1fa) as first factor? How will be such a policy?


Anyone got a clue? Or do I have to have for each case a seperate aaa vserver with ip, external ip?




Link to comment
Share on other sites

Multiple conditional flows is possible.  But you may have to bind the policies differently.

What is the criteria that determines whether you want flow1 with IDP1 or flow2 with IDP2?

If its a domain drop down list, then this will be your initial policy/login schema, and then it will determine which policy labels/login schemas you go to next.

If its some other criteria, then you might use a different policy expressions in the "First factor" and then the loginschema might need to be adjusted.



Link to comment
Share on other sites

Here's a variation using nfactor with two different idp scenarios after asking for the username (upn format) and then decides which saml/idp flow to use A or B based on the domain portion of the user name:  https://nerdscaler.com/2017/05/06/netscaler-gateway-saml-multiple-idps-nfactor/ (nice write up by Manuel Kolloff via nerdscaler from May 2017)


Still may not be exactly what you want; but between the two references it should point you into a possible direction.  Hopefully, this helps you out.


If you have extra details of what determins your IDP A vs B scenarios, then someone might be able to help you tweak one of these or create something new that works for you.

Link to comment
Share on other sites

Hi Rhonda,


thank you for your replies.


Let's say IDP A is for an cloud-based app that only a few employees have access to. These enployees are part of our corporate AD and member of certain AD groups. Only these employees should be able to access this app via SAML, no one else. For this case 2 factor username/password/otp is necessary.


And then there is another IDP for another app that all employees can use. Authentication there will also be SAML with adc as IDP, and we only whant them to authenticate with username/password. All these employees are part of our corporate AD.


Hope this describes my case a bit better.




Link to comment
Share on other sites

As long as the users who Need App A vs App B don't overlap and the users one need one resource or the other, then you can probably do this on one AAA/vPN vserver as an nfactor flow based on group membership.


If the users of the cloud app also need the regular apps, then you would probably need separate AAA vservers as the authentication is done before we know which app you are using (or once done for one; won't be redone for the second).





Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...