Jump to content
Welcome to our new Citrix community!

ADC using AzureAD SAML login with Groups

Recommended Posts

What I am trying to achieve

1. User logs into ADC using Azure AD as the SAML iDP

2. The AD groups of which the user is a member of are assessed and the corresponding ADC policies are applied. 

3. User gets the assigned resources presented


A little history 


I am switching over from using LDAP authentication using Azure AD as my iDP for my ADC for the purpose of getting the MFA experience that users are already comfortable with as we use this elsewhere.

I have sucessfully configured this work. I have set up FAS so that once authenticated users can access their published resources. But I have to bind the policy to the gateway vserver for this towork. I have policies bound to AAA groups in order to present the correct resources after login.


The issue I have is that I have several AAA groups configured for the purpose of securing VPN access. While I am sending the groups with the SAML response, the ADC does not seem to use them in that format. 

I have attempted to use group extraction from LDAP as a second factor, but I cannot seem to get this working. I am missing something, and it's probably simple. Could any please shine a light on how I can this working. 

Link to comment
Share on other sites


basically I see two options.



If you have Enterprise/Advanced edition you can use nFactor an make SAML the first authentication and afterwards an authenticationlabel with ldaps with an ldap action were the authentication is disabled and member of attribute is set correctly. The groups are still coming from ldap and the matching will work with AAA User and AAA Group.

This should look something like that:


you have a saml AuthAction and a saml AuthPolicy with true in it, I guess, this should be working so far.


create ldap Action with no Authentication and set the memberOf attribute correctly and maybe the Logon Name is not the samAccountName (this is used as the default entry as far as I remember) but - at least in my case - upn (or mail):

add authentication ldapAction ldaps_noauth -serverName <ldap server> -serverPort 636 -ldapBase "DC=domain,DC=local" -ldapBindDn user@domain.local -ldapBindDnPassword  -ldapLoginName userPrincipalName -groupAttrName memberOf -secType SSL -ssoNameAttribute userPrincipalName -authentication DISABLED -passwdChange ENABLED 


create an advanced authentication policy with true for this ldaps no authentication action:

add authentication ldapPolicy authpol_ldaps_noauth ns_true ldaps_noauth


now we need a policylabel, cause the nextfactor always needs to be configured as a policylabel:

add authentication policylabel AuthPolLabel -loginSchema LSCHEMA_INT

bind authentication policylabel AuthPolLabel -policyName authpol_ldaps_noauth -priority 100 -gotoPriorityExpression NEXT


The advanced authentication policys need an authentication vserver and not a Citrix Gateway vserver. So you have to create an authentication vserver, add an ssl certificate and create an authentication profile for it and bind this to the Citrix Gateway server. The authentication vserver can be non addressable, no need for an ip here.


add authentication vserver nFactorAAA SSL

bind ssl vserver nFactorAAA -certkeyName <some ssl certificate>

add authentication authnProfile AuthProfile-nFactor -authnVsName nFactorAAA


the saml advanced authentication policy needs to be bound to the authentication vserver and in the binding the next factor - the policylabel - must be specified.

bind authentication vserver nFactorAAA -policy AuthPol-saml-AzureIDP -priority 100 -nextFactor AuthPolLabel -gotoPriorityExpression NEXT


This configuration should bring your groups back.

cat /tmp/aaad.debug should also list the groups during a successful authentiation.




You can also configure AzureIDP to return the group membership as a claim if AzureAD has the groups synced. https://support.citrix.com/article/CTX230661 descibes how to extract the groups to the user attribute. But the AAA Groups and AAA Users will not work the way they've done before. You need to filter them as part of the vpn vserver policies and all the policies must be bound to the vserver.


don't hesitate to ask if something is too confusing in my description :-D


Best Regards,


  • Like 1
Link to comment
Share on other sites

It seems that I am getting group extraction and that the policy is not being applied in the correct order for some reason. 


The policy below in green, is the one that is supposed to apply when using the SAML auth. As you can see this is priority 40, which is the higest. However, I am finding that the policy that is applies is the red policy. If I remove that policy through an expression, then blue is applied. Only if I forcefully exclude the other policies is my green policy applied. 

All of the other policies shown are for access via another gateway vs with LDAP auth. 


0 pcp_hits authn(
0 pcp_hits vpnsession(SETVPNPARAMS_ADV_POL)
0 pcp_hits vpnsession(PL_WB_LDAP_Allow_FullAccess)
0 pcp_hits vpnsession(PL_WB_LDAP_Allow_VPN_Only)
0 pcp_hits vpnsession(PL_WB_LDAP_Allow_IT)
0 pcp_hits vpnsession(PL_WB_LDAP_AllowICAOnly)
0 pcp_hits vpnsession(PL_WB_AzureAD_Allow_IT)
0 pcb_hits authnBinding_24_41_GroupExtraction_100(
0 pcb_hits policyBinding_26_20000000081_GLOBAL REQ_DEFAULT_65534(SETVPNPARAMS_ADV_POL)
0 pcb_hits policyBinding_26_11_Group - IT Staff_50(PL_WB_LDAP_Allow_IT)
0 pcb_hits policyBinding_26_11_Group - Network - Entire Network_90(PL_WB_LDAP_Allow_VPN_Only)
0 pcb_hits policyBinding_26_11_Group - Allow Logon_90(PL_WB_LDAP_Allow_FullAccess)
0 pcb_hits policyBinding_26_11_Group - Allow Applications_89(PL_WB_LDAP_AllowICAOnly)
0 pcb_hits policyBinding_26_11_Group - AZureAD - TEST_40(PL_WB_AzureAD_Allow_IT)
0 pl_hits authnLabel_24_(GroupExtraction)

Link to comment
Share on other sites


so the group extraction is working, otherwise the policy would never be applied :^)

I guess you see the Group Names in the aaad.debug? What is the expression for the session policy? On the group and also on the vserver itself?

Just to get a point into the right direction (not a solution): try to bind the policy to a testuser? Does this work (so is it the binding or is there still something wrong with the groups).

Maybe try to change the binding priority, maybe something is interfering.


Best Regards,



Link to comment
Share on other sites

Yes, group extration is now working as per method 1 above, thanks. 

I have 2 vservers, one is auth.myompany.com which is used for the Azure AD integration and the other is direct.mycompany.com which is set up as the traditional LDAP auth.  

Each has a it's own Authentication vserver and authentication profile and backs onto its own CS vserver.


So my policies look like this

most of the policies have this expression "HTTP.REQ.HEADER("User-Agent").CONTAINS("CitrixReceiver").NOT" so they only apply to web sessions

I have changed the ones I want to exclude to "HTTP.REQ.HEADER("User-Agent").CONTAINS("CitrixReceiver").NOT&&HTTP.REQ.HOSTNAME.CONTAINS("auth.mycompany.com").NOT" to get this to work in the meantime, but would have expected it to accept the policy priority. 


I have created a fresh user to use as a test user and the results are the same. The priority 50 policy is taking precedence over the priorty 40



Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...