Jump to content
Welcome to our new Citrix community!

Set attribute to custom text in SAML Action if AAA.USER.GROUPS contains a specific group


Recommended Posts

Hi Christoph,

 

You can create your SAML action with the custom attribute as desired. Then create a SAML policy where you do your condition check e.g. AAA.USER.GROUPS.CONTAINS("groupfoo") and set your newly created action as the action for this policy.

 

If you already have a SAML policy/action in place without this check, then just clone your existing action to make things a little easier. I'm assuming here for a moment your original policy is just evaluating to 'true' all the time, so put this new policy with the group check in front of it (meaning, give it a higher priority). Also make sure that the gotoPriorityExpression is set to END instead of NEXT to avoid that the 'true' policy hits as well.

 

Hope this helps.


Cheers,

G.

Link to comment
Share on other sites

  • 1 month later...

Hi Gunther,

 

Sorry to report.

 

The approach totally makes sense, but unfortunately ADC evaluates the applicable SAML action before user authentication on the AAA, you can see it in ns.log. As soon as you hit the AAA ADC already choose a SAML action before you enter username and password. Hence any SAML policies filtering for a user's properties will automatically never apply as the values are not know at this stage. 

 

We have opened Citrix case 81291695 to check if that's a bug or a limitation of the software (running 13.0). 

 

Regards

Link to comment
Share on other sites

  • 2 weeks later...
  • 1 month later...

Hi,

 

Update: According to Citrix 81291695 it's no possible to put any filters targeting AAA.USER in policies for SAML actions. Citrix reproduced the setup in their lab and the product simply doesn't support it. The SAML policies are always evaluated before authentication, even if you put a Content Switching Server with bound authentication in front and even if it doesn't make any sense to handle priorities this way. If a user is already authenticated, meaning simply pressing back in the browser and then accesses the go through Auth for the page again it works as intended. According to Citrix that is by design.

 

I am having a hard time explaining that to our customer, how this is by design and how MS ADFS is able to do that, but his expensive LB product behaves this awkward.

 

Regards

Link to comment
Share on other sites

  • 2 months later...

Hi Christoph,

 

Sorry for my late reply... Anyhow, maybe an idea here would be to place whatever service you're trying to authenticate/set the attribute for onto a different flow? With that I mean that you make the user hit the authentication page when the access the original url, they do the auth and then you redirect them to a second URL that basically hits the same authentication vServer? It would have the same effect as having the user hit the 'back' button, but as it's automatic it would be transparant for the user.

 

Cheers,
G.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...