Jump to content
Welcome to our new Citrix community!

NetScaler OAUth IDP Policy expressions


Recommended Posts

I have configured NetScaler as an OIDC IdP and am using the grant_type=password. To be able to get a token from /oauth/idp/token endpoint I need to include the following in my POST request body:

grant_type, username, password, client_id, client_secret, resource

I can see that I'm able to set the expression for my OAuth IDP Policy to limit from which IP the user can get the token (expr. CLIENT.IP.SRC.EQ(123.123.123.123)), but I'm not able to use expressions to allow only users in specific group (expr. AAA.USER.IS_MEMBEROF("mygroup")) or specific user name (expr. AAA.USER.NAME.EQ("myuser")) to explicitly allow tokens to be issued for only selected users.

Is there a way to limit the IDP Policies on user-basis? Eventually I will have several OAuth IDP Policies bound to this AAA vServer and I can limit the users for the AAA vServer -wide using nFactor and LDAP policies, but not per OAuth IDP.

Edited by Kari Ruissalo
Link to comment
Share on other sites

You would probably would have to setup some form of nfactor to get the username first, run that through ldap nfactor to get the group membership, then based on the group membership send them to oauth for actual authentication.  You would have 2 different oauth policies with necessary default group assignments to route traffic.

Link to comment
Share on other sites

3 hours ago, Jeff Riechers said:

You would probably would have to setup some form of nfactor to get the username first, run that through ldap nfactor to get the group membership, then based on the group membership send them to oauth for actual authentication.  You would have 2 different oauth policies with necessary default group assignments to route traffic.

Thank you for your answer, but I think the nFactor path would apply for a case where the NetScaler would act as OAuth SP, but in this case it's acting as an IdP. Is it possible to bind OAuth IdP policies in nFactor Policy Labels? I didn't even think of that 🤔

Link to comment
Share on other sites

12 hours ago, Kari Ruissalo said:

Thank you for your answer, but I think the nFactor path would apply for a case where the NetScaler would act as OAuth SP, but in this case it's acting as an IdP. Is it possible to bind OAuth IdP policies in nFactor Policy Labels? I didn't even think of that 🤔

What I can say is, NetScaler is aware of that "problem" that at the moment, an OAuth IdP Policy has to be bound directly to a AAA vServer, not possible to integrate in a nFactor. This limits some auth-possibilities where NS is acting as IdP.

  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...