Ken Z Posted September 6 Posted September 6 Hi Everyone Got an on-prem NetScaler VM acting as a Citrix Gateway appliance, using SAML to authenticate to Azure. This works fine but the users have password expiry enabled. Now i know how to enable password change if using Active Directory/LDAP for authentication, but can someone point me to any article on how to enable the NetScaler to allow uses to change their password when using SAML talking to Azure? Regards Ken Z
Michael Adam Posted September 6 Posted September 6 Hello @Ken Z you can do this in different ways. First of all: you do not authenticate the user on NetScaler cause you redirect for to Azure for authentication. On Azure you should handle the password expiration and change. This is the prevered way. Are there reasons why you can do that (password one way sync / only hash sync) than you can realize this more elaborately with AAA nFactor. Create a AAA vServer and first factor with username only. LDAP check the username if the password is expired, then the user will asked for the old password. Take care, that now the user can change the password without MFA! Here you can also do things to make it secure. After the user has changed the password you trigger the SAML authentication to Azure. I case the user password is not expired (first nFactor-Check, than you can go directly to Azure. Regards, Michael
Ken Z Posted September 11 Author Posted September 11 Thanks Michael The "powers that be" did not want to use the local AD servers (that was the way it was originally configured) but wanted only SAML authentication to Azure as the authentication mechanism (why I don't know). I've been told that the AADConnect has been configured for two way password syncing (i.e. user can change their password in Azure/Office365 and it'll sync down to the local AD) so are you saying that if password has expired and the NetScaler used Azure SAML, Azure should prompt for password change before the number matching popup appears? Regards Ken Z
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now