Jump to content
Welcome to our new Citrix community!

Groups from Azure AD iDP not getting passed to ADC


resyrt erwtret

Recommended Posts

Hello

 

We currently have a customer with a gateway and his session policies are binded to AAA groups.

 

We are making the transition to using Azure SAML as iDP but the groups are not being read.

 

The group (and members) are being sync from on prem to Azure so they are in both placed.

 

I am using advance polices with nFactor but logs show the groups arent being passed from Azure.

 

What can I do?

 

Thank you

nslog.txt messages.txt aaaddebug.txt

Link to comment
Share on other sites

11 hours ago, Carl Stalhood1709151912 said:

I actually followed your configuration to do this since Citrix documentation lacks certain instructions.

 

I believe I am at a point where my Azure user does indeed find its on-premise user equivalent but it does not find its necessary groups in relation to the AAA Groups and session policies. Without this, it is impossible to "migrate" from the on-premise AAA group with session policies to the Azure groups with session policies

 

Im currently going to open a case with Citrix with the customer account so they can lend a hand; I believe the issue at this point might be a Citrix ADC bug that does not correctly read the groups and relate them to AAA groups/session policies. 

 

 

Link to comment
Share on other sites

  • 2 weeks later...

Hey,

Not sure what version you are running.....

nFactor with SAML auth for the first factor and group extract as the second, you can follow this with any other factors as you need (EPA etc) Carl has written some great articles on the subject.  You can use aaa.debug to make sure the AD groups are being passed to your NetScaler and match your AAA groups - then just assign your policies.

 

Simon

Link to comment
Share on other sites

  • 2 months later...
  • 3 months later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...