Jump to content
Welcome to our new Citrix community!

Help with setting up nFactor for EULA > LDAP > Group Extraction > Azure MFA (if member of correct group)

Gordon Curry

Recommended Posts

Hi all


I am trying to setup nFactor for Gateway auth on NetScaler v13.0. The flow needs to be as follows:


1. EULA Accept

2. LDAP authentication

3. AD group extraction to determine the next factor

4. IF a member of a certain group then proceed to Azure MFA authentication

    IF NOT a member of the same group then authenticate


I have a working solution for EULA > LDAP but I can't work out the group extraction piece.


so far I have created the following config so I have EULA > LDAP > Group Extraction > Azure MFA (or not). With this setup I just get the EULA > LDAP and then it authenticates into StoreFront.


add authentication Policy mfa-enabled-auth-pol -rule AAA.USER.IS_MEMBER_OF("MFA_Enabled") -action NO_AUTHN

add authentication Policy mfa-notenabled-auth-pol -rule AAA.USER.IS_MEMBER_OF("MFA_Enabled").NOT -action NO_AUTHN

add authentication loginSchema GroupExtract -authenticationSchema noschema

add authentication policylabel GroupExtract-pl -loginSchema GroupExtract

bind authentication policylabel GroupExtract-pl -policyName mfa-enabled-auth-pol -priority 100 -gotoPriorityExpression NEXT -nextfactor azure-mfa-pl

bind authentication policylabel GroupExtract-desktop-mfa-pl -policyName mfa-notenabled-auth-pol -priority 110 -gotoPriorityExpression END


Searching the web for answers has just served to confuse things further so I'm hoping someone has setup nFactor in this way and can help with some idea where I'm going wrong.


Many thanks in advance.

Link to comment
Share on other sites

Good catch Carl, thank you. With that changed it looks like the group extraction is working.


For a user in the MFA_Enable group I get the EULA prompt followed by Username / Password and then it goes to Azure but this fails as I'm only on a test system and the domain isn't in Azure.

For a user not in the MFA_Enable group I also get the EULA prompt followed by LDAP and it then goes to the detect Citrix Workspace App page so it's on StoreFront.


Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...