Jump to content
Welcome to our new Citrix community!

Can someone explain the "Single Sign-on Domain" on session policies?


Recommended Posts

My users login using their UserPrincipalName and I know it works fine if I completely remove the "Single Sign-on Domain" from the published applications but I'm trying to use nFactor to direct some users to a SAML server and fall back to a LDAP server. When I populate the session policy with the "Single Sign-on Domain" value it will work for the SAML server but not work for LDAP. 

 

With the domain populated it will return this on the storefront server:

Quote

 

CitrixAGBasic single sign-on failed because the credentials failed verification with reason: Failed.

The credentials supplied were;
user: jdoe
domain: domain.local

 

 

The problem is the user logged in with jdoe@domain.com. It is getting the "domain: domain.local" from the session policy but I don't know where it is getting "jdoe" because the user's SamAccountName is actually "jdoe_domainloc". It's like Netscaler is just taking it upon itself to use the characters before the @ as the username which isn't correct.

Link to comment
Share on other sites

LDAP policy on ADC has a logon attribute set to either UPN or saMAccountName.

 

There's also the SSO Name Attribute field in the LDAP policy with the same options.

 

Gateway Session Policy has a SSON Domain field that should only be used for saMAccountName logons since UPNs already have the domain name in their suffixes. SAML assertions usually return userPrincipaNames, not samAccountNames.

  • Like 1
Link to comment
Share on other sites

9 minutes ago, Carl Stalhood1709151912 said:

LDAP policy on ADC has a logon attribute set to either UPN or saMAccountName.

 

There's also the SSO Name Attribute field in the LDAP policy with the same options.

 

Gateway Session Policy has a SSON Domain field that should only be used for saMAccountName logons since UPNs already have the domain name in their suffixes. SAML assertions usually return userPrincipaNames, not samAccountNames.

 

Clearing the SSON domain field does make it work but I was more curious where exactly Citrix is getting the username when it passes to Storefront. In my case, it isn't using the CN, SamAccountName, or UserPrincipalName and it appears if you DO populate the SSON domain field, it seems to be just parsing the UserPrincipalName you may enter in the user field and using what is before the @ as the username (which it is expecting a SamAccountName). I just thought it was odd.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...