Jump to content
Welcome to our new Citrix community!

nFactor authentication based OTP/MFA based on group membership

Recommended Posts



Trying to configure this setup with nFactor but I am a little bit lost... This is for Citrix Gateway usage. I have Azure MFA and Citrix OTP solution working separately so that part is already taken care of. The scenario is this:


If user X is a member of group A he shuold use MFA authentication.

If user Y is a member of group B he should use Native OTP.


If not a memeber in any of the two groups of course not logged in at all.





Link to comment
Share on other sites

Not a complete answer; but maybe some info to help you get started.

But first, if you already know how to do your MFA vs OTP as individual authentication policies on their own with the group membership, then you are mostly there.  IF you need info on how each authentication type needs to be configured ask and we'll try to get you more info.


While nfactor can be a little challenging to learn from scratch one or two examples for a simple scenario that does parts of what you want can help you figure out the elements you need to do the whole thing.

This is my go to reference to get started with an nfactor flow as its relatively straight forward (ldap for one Group and ldap/radius for another group). And gives you the basic idea for how to 1) configure the authentication to ask for you usersname first to determine group membership and then set your first condition nfacto to go to either 2a) GroupA: ldap vs 2b) GroupB: ldap/radius.


After that, you can then swap in your mfa vs otp based on groups. (At least that's one way to do it.)


And here's a good OTP example from JG Spiers (but on its own and not with other nfactor criteria):  https://www.jgspiers.com/netscaler-native-otp/


A couple key points about nfactor:

1) loginschemas are your "interface parts" to present to the users.  A login schema is on your policy bind points aka either the schema we present as the "default" schema of the gateway (or aaa vserver).  And then if you break your authentication into vairous next_factors (aka a policy label), then each label gets a single loginschema (interface).  So, each schema aka factor is what type of interface do I need to get the credential type I'm looking for.

2) If you have multiple policies in the same bind point (like on a single vpn vserver) or a single next_factor (authe policy label), it works like a policy cascade.  Where any one policy in that point, needs to succeed to login. (Similar to if you had mutiple policies bound in the Primary (classic engine) bind point; things in same bind point are in an "OR" relationship with each other.

3) Any  policy with a NEXT_FACTOR specified, allows the policy to say if this policy succeeds AND a policy in the next_factor (policy label) also needs to succeed.    This gives you the "AND" relationship.  (In the classic engine, this would be a policyA in Primary AND a policyB in Secondary)).  You just now have the option of having mulitple next_factors, policyA AND next_factor PolicyB which has a next_factor PolicyC.


When you deploy or have issues with nfactor, good rule of thumb is to go back to a single-factor config and first just make sure your individual standalone authentication criteria works as expected: OTP only or  MFA (ldap/radius) only.  Make sure the underly authentication is good and then go back to building nfactor conditional flows...at least at this point your reasonably certain you only have to troubleshoot the nfactor config and not the authentication policies themselves.  NFactor == some assembly required :)






  • Like 1
Link to comment
Share on other sites


Thank you Rhonda for your thorough answer, much appreciated! 


On 6/13/2020 at 12:32 AM, Rhonda Rowland1709152125 said:

But first, if you already know how to do your MFA vs OTP as individual authentication policies on their own with the group membership, then you are mostly there.  IF you need 



I have them configured separately but without group extraction. I will try som scenarios and see if I can get somewhere. 


Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...