I have a - more or less - complex n-factor flow. Users first log on using the user name and the password. Depending on several circumstances, some users have to use a RADIUS-based 2nd factor.

 

Now, SSO to StoreFront works fine for all users that don't use a 2nd factor, while all users with 2FA fail. They use dedicated session policies, so I tried setting 1st factor in this session policy. It didn't work. I also tried creating a traffic policy and forcing the 1st factor to be sent to the Storefront server, but it failed as well. If I add a 3rd factor, LDAP again, SSO works just fine.

 

Unfortunately, users hate typing their passwords twice, so my "solution" is not what my boss likes. However, it helped me narrowing down the issue. SSO always uses the last factor. Even if I use a two-password login dialogue. What can I do? Any idea on how to use a password of a previous factor?

 

Thanks in advance

 

Johannes

Edit the Login Schema. Click More. There's a checkbox for Enable Single Sign On Credentials.

 

2 hours ago, Carl Stalhood1709151912 said:

Edit the Login Schema. Click More. There's a checkbox for Enable Single Sign On Credentials.

 

Thanks, Carl, it had not been exactly what I had been looking for, but it had been helpful, I didn't know about these "hidden" attributes. This one would have been right, in case I use several dialogues. But it brought me to the right article: https://support.citrix.com/article/CTX219481/sso-fails-when-nfactor-is-used-adc. Using the "credential index" in a traffic policy solved my problem.