NetScaler nFactor flow for auth to on-prem AD, then Azure MFA conditional access

[Alex Booth]

Hi,

 

Edit: sorry - I posted this in the Citrix Cloud forum by accident - this is related to onprem. New post was made here: https://discussions.citrix.com/topic/419875-netscaler-nfactor-flow-for-auth-to-on-prem-ad-then-azure-mfa-conditional-access/

 

We're trying to get an nFactor flow configured which will authenticate against on-prem AD and then go to Azure for MFA with conditional access policies, with support for push notifications (with number matching), TOTP etc). There is no FAS or ADFS configured but SSO from NetScaler Gateway to Storefront/VDAs is required. This is only needed for external connections coming in through the Gateway VIP.

 

There is an article here which has a brief description of an example which seems exactly what we're looking for, but there's no details on how to achieve this that I can see? https://community.netscaler.com/s/article/NetScaler-Gateway-Microsoft-Azure-Part-1

 

 

Is there any info/examples on how to get this set up for browser and Workspace App logins which explain the the full nFactor flow configuration needed for this? From what I gather it needs to do something along the lines of:

 

1. Prompt for username and password (UPN or sAMAccountName) in the NS Gateway login UI

2. Store the user/pass securely (so it can be passed through to Storefront/VDAs)

3. Send user/pass to AAD (or redirect to Azure MFA UI?), Conditional Access policies can then check MFA requirement/registration and prompt the user for MFA with push notification/number matching and NetScaler will allow the login (or deny it if the user is not registered)

 

Thanks

 

Edited January 11 by Alex