Jump to content
Welcome to our new Citrix community!

SAML in nfactor

Recommended Posts

There is an automatic adding of username into the SAML request when SAML is configured in nfactor. (according to "

Starting from NetScaler 12.0 Build 51.x, Citrix ADC appliance used as a SAML Service Provider (SP) with Multi-Factor (nFactor) authentication now prepopulates the user-name field on the login page. The appliance sends a NameID attribute as part of a SAML authorization request, retrieves the NameID attribute value from the Citrix ADC SAML Identity Provider (IdP), and prepopulates the user-name field." note in https://docs.citrix.com/en-us/citrix-adc/current-release/aaa-tm/authentication-methods/saml-authentication.html


This however causes problems with som IdP:s. Is there any way to disable the addition of this in the saml-request. This behavior is adding the following into the SAML request:

<saml:Subject xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"> <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">Anonymous</saml:NameID> </saml:Subject>


and this causes the Idp to fail.



Link to comment
Share on other sites

On 2/18/2021 at 11:33 AM, Kim Nilsson said:

If I understand the question correctly, you can disable this behavior with: "nsapimgr_wr.sh -ys call=ns_saml_dont_send_subject"

If this fixes the issue, make it persistent across reboots! Edit your /nsconfig/rc.netscaler file to add the line:  
nsapimgr_wr.sh -ys call=ns_saml_dont_send_subject

Link to comment
Share on other sites

  • 1 year later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...