Jump to content
Welcome to our new Citrix community!

Citrix Gateway with Azure SAML and login_hint parameter

Robert Trasatti

Recommended Posts

I have the Citrix gateway configured with the AAATM authentication server and nFactor authentication. The AAATM is configured to prompt the user for their email address and then nFactor makes a decision about how to authenticate the user. Some users authenticate with DUO Radius Proxy while others authenticate using Microsoft Azure and SAML. Everything is working as expected, the Citrix gateway prompts the user for their email address, makes a decision about how to authenticate them and in the case of the Azure users, it redirects them to the Microsoft Azure Enterprise App. They authenticate, answer the second factor challenge and Azure redirects them back to the ADC which directs them to the proper Storefront store which supports Citrix FAS to present the user with their published applications. The problem I am having is figuring out a way to add a parameter to the redirection URL being returned to the user by the Citrix ADC. I would like it to add the login_hint=<emailaddress> parameter so the user does not need to type their username twice. I have hard-coded this into the redirection URL of the SAML action to test it and it allows the user to bypass the user prompt at the Azure login and go straight to the password prompt. I have tried adding a Rewrite action and policy to the response object from the Citrix gateway but this never fires off. I can see that when the user clicks submit on the page where they enter their email address the browser posts to /nf/auth/doAuthentication.do this redirects to the /nf/auth/doSaml?act=<SAML ACTION NAME> and performs a GET. The Get returns an HTML page that does an automatic submit on page load and the form action contains the login.microsoft.com URL for the Azure tenant along with the SAML Request. If I could rewrite the HTML page returned by the ADC I should be able to add the parameter value to the redirection URL in the HTML body. Just not sure how to configure the rewrite rule or where to apply it. Should it be on the Citrix gateway or the AAATM virtual server? Any help or guidance would be appreciated. 

Link to comment
Share on other sites

  • 2 weeks later...
  • 4 weeks later...

Did anyone get anywhere on this? I'm using the username only field to determine rather to send users to a SAML server or use LDAP+RADIUS. I cannot figure out how to send the username to the SAML server.


Mine is the same with ADC does a post to /nf/auth/doAuthentication.do which has the "login" payload but then it does a GET to /nf/auth/doSaml?ctx=<random> which does not have the login. I opened a ticket but still waiting.

Link to comment
Share on other sites

Worked with multiple support engineers from Citrix and it is not currently possible to do this. The response from the AAATM server and passed back to the user's browser through the Citrix gateway does not go through the rewrite policy engine so the policy never gets hit. They have filed a bug request and enhancement request to address the issue but no determination if they will fix it or how long it would take to address. My sales rep. is telling me that multiple people have complained about this, so hopefully that helps push it along. 

Link to comment
Share on other sites

  • 2 months later...

There is no way to customize that URL currently, and Rewrite policies will not fire for AAA traffic.  You can better understand why if you look at the Packet Flow diagram located here:




There may be another way to do this via Content Switching but the configuration might be a little ugly.



Link to comment
Share on other sites

  • 6 months later...

It is possible to do it using 'loopback' nitro calls.

I just made it working using webauth against snip address (httpcallout does not work well for 'loopback' nitro calls), nfactor flow is a bit insane (I have a bit complicated setup because of azure multiple nic setup ha pair - not shared snip ips, I had to resolve how to handle active/passive node, two different paths in flow).

Link to comment
Share on other sites

  • 3 months later...
  • 1 month later...
On 3/30/2023 at 10:03 AM, Julian Jakob said:

I had to dive into this and finally was able to get this to work. It's not possible with SAML, as Azure AD isn't supporting the login_hint. It's working fine when switching to OAuth. Here are the config details, hope this helps! https://www.julianjakob.com/citrix-netscaler-oauth-to-azure-ad-with-login_hint-subject-field/ 



Thank you for updating this issue. Your solution worked perfectly. 

  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...