Kai Thorsrud Posted October 9, 2023 Share Posted October 9, 2023 SAML is End of Life in Azure and furthermore all SAML Authentication in Azure is ADAL not MSAL.If you do ADAL Auth you are missing out alot of the new security features such as new conditional access rules and so on. i started writing a terraform CAG Module / XenApp/XenDesk module today and it was sad to see that there is still only SAML supported for CAG. Link to comment Share on other sites More sharing options...
Kai Thorsrud Posted October 9, 2023 Author Share Posted October 9, 2023 Just adding more information to this post to make it easier to understand how SAML = End of Life.. It is not possible to get a SAML Assertion with MSAL. ADAL is End of Life..Quote from article below: "All Microsoft support and development for ADAL, including security fixes, ended on June 30, 2023."https://learn.microsoft.com/en-us/azure/active-directory/develop/msal-migration Link to comment Share on other sites More sharing options...
Kai Thorsrud Posted October 9, 2023 Author Share Posted October 9, 2023 Even more urgent: WarningAzure Active Directory Authentication Library (ADAL) has been deprecated. While existing apps that use ADAL will continue to work, Microsoft will no longer release security fixes on ADAL. Use the Microsoft Authentication Library (MSAL) to avoid putting your app's security at risk. Link to comment Share on other sites More sharing options...
Kai Thorsrud Posted October 20, 2023 Author Share Posted October 20, 2023 Not easy to implement i guess :D SAML Assertions are flexible. Link to comment Share on other sites More sharing options...
Morten Kallesøe Posted October 23, 2023 Share Posted October 23, 2023 but since you cannot buy standard anymore, this is "auto-fixed" ?according to https://docs.netscaler.com/en-us/citrix-gateway/current-release/authentication-authorization/nfactor-for-gateway-authentication.html there is support for oAuth Link to comment Share on other sites More sharing options...
Kai Thorsrud Posted October 23, 2023 Author Share Posted October 23, 2023 I have tried in the past to bind a Auth Profile to a CAG. The Auth profile points to a aaa_vserver with OAuth 2.x enabled but it doesnt work as long as i use OAuth. Are there any other ways to bind an OAuth Auth action to a vpn vserver / CAG / Citrix Access GW? Maybe i have overlooked some smart way to implement OAuth on a vpn vserver. Link to comment Share on other sites More sharing options...
Morten Kallesøe Posted October 24, 2023 Share Posted October 24, 2023 And NetScaler was enterprise/premium?Would you describe should work. Link to comment Share on other sites More sharing options...
Kai Thorsrud Posted October 24, 2023 Author Share Posted October 24, 2023 i have never touched anything but platinum. know that OAuth IDP on CAG works, OAuth SP does not work afaik. I will have to test again since i know "you know your shit" :D Link to comment Share on other sites More sharing options...
Julian Jakob Posted October 25, 2023 Share Posted October 25, 2023 Hello Kai,what do you exactly need? I'm using NetScaler as OAuth SP (connected to a F5 BigIP as IdP) and OAuth IdP (connected to a Keycloak as SP) at some of my customer's instances. You can't bind an OAuth Policy directy to a VPN vServer, thats correct. You always have to use an auth profile, linked to an AAA vServer. Link to comment Share on other sites More sharing options...
Kai Thorsrud Posted October 26, 2023 Author Share Posted October 26, 2023 This is great news Julian. I use it with Storefront + FAS. Do you utilize FAS aswell in your setup ?. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now