Jump to content
Welcome to our new Citrix community!

NetScaler 13.1: AAA VServer as SP, Azure AD as IDP, using SAML2 for group extraction AKA wtf?


Recommended Posts

Hi,

 

I saw similar topics before but did not find an answer for this dedicated question:

 

We want to use  AAA VServer as SAML SP. In fact we have this already running and it is working fine for authentication.

But now we want to add Group Extraction in a useful way.

 

I know the article that says, we could use a policy expression to check the SAML header for Attributes.

But this is not a feasible way to go for us, as we bind also Intranet IP and Intranet Applications to the groups..

So we need the groups to be parsed to AAA Groups.
 

I know already that Azure AD hands over just the group object IDs instead of the group names, which is unfortunate, but we will probably deal with that (because no other option).

From my understanding there is no way of mapping the IDs to names in NetScaler itself (other appliances offer this nice function, but well..)

 

I noticed in 13.1 there is an additional field in the SAML Server Profile configuration, called Group Name Field, with the description Name of the tag in assertion that contains user groups.

So I guess this is where I may put the name of the attribute from the assertion?
I am not sure about this, as I do not know whether assertion tag and assertion attribute name is the same ?

 

Any ideas or examples?

 

Cheers

Mark

Link to comment
Share on other sites

  • 3 weeks later...

We fixed this.
And if someone else have this issue:

  • It is possible to configure the group attribute in Azure to return the sAMAccountname instead of the group ID. 
    • it is important to filter the groups for a dedicated prefix, as SAML would return all user groups, but there is a hard limit of 150 groups to return.
  • Using the Group Name Field in the SAML configuration with the SAML attribute name from Azure works.
    • NetScaler will then parse the groups from the SAML assertion with its local groups, like it also does for LDAP or RADIUS.

Cheers

 

  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...