Joe Brozzetti1709154126 Posted December 2, 2016 Share Posted December 2, 2016 Hi all, Looking for some guidance using SAML with Storefront 3.7. Here is my scenario: We have a working Unified Gateway (gateway.domain.com). I can login with my sAMaccountName, which is what we want. I have a SAML policy bound to the UG that accepts the sAM and passes me over to our AAA. I am extracting Mail as Attribute 1 on the LDAP side. After the SAM logon completes the VPN Choices page displays my email address as the logged in user. That seems normal to me for a SAML login. We have several 3rd party SAML sites that use email address to authenticate and are working fine. I have a SAML IDP configured on the UG for these sites using HTTP.REQ.USER.ATTRIBUTE(1) so it is passing the Mail attribute I configured on the AAA. Storefront logon is failing. If I go to storefront.domain.local I can login with SAM but not my email address which I assume is expected? I am not quite sure how to integrate Storefront login with the UPN if even possible. I used Carl's guide to install the Federated service offered in 3.7. I ran a trace and the /cgi/GetUserName call my email address is in the Response. I configured the Netscaler Gateway in Storefront I am using gateway.domain.com for the NS Gateway and Callback which is the URL for the Unified Gateway. Any help appreciated, I know it's tough in a vacuum. Thanks! Link to comment Share on other sites More sharing options...
Joe Brozzetti1709154126 Posted December 2, 2016 Author Share Posted December 2, 2016 First Error in Event Log: CitrixAGBasic single sign-on failed because the credentials failed verification with reason: Failed. The credentials supplied were; user: jbrozzetti@domain.com Second Error: A CitrixAGBasic Login request has failed. Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticatorException, Citrix.DeliveryServicesClients.Authentication, Version=3.7.0.0, Culture=neutral, PublicKeyToken=null Authenticate encountered an exception. at Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticator.Authenticate(HttpRequestBase clientRequest, Boolean& passwordSupplied) at Citrix.Web.AuthControllers.Controllers.GatewayAuthController.Login() System.Net.WebException, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 The remote server returned an error: (403) Forbidden. Url: https://127.0.0.1/Citrix/SAMLAuth/CitrixAGBasic/Authenticate ExceptionStatus: ProtocolError ResponseStatus: Forbidden at System.Net.HttpWebRequest.GetResponse() at Citrix.DeliveryServicesClients.Utilities.HttpHelpers.ReceiveResponse(HttpWebRequest req) at Citrix.DeliveryServicesClients.Authentication.TokenIssuingClient.RequestToken(String url, RequestToken requestToken, String primaryToken, String languages, CookieContainer cookieContainer, IEnumerable`1 acceptedResponseTypes, IDictionary`2 additionalHeaders) at Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticator.Authenticate(HttpRequestBase clientRequest, Boolean& passwordSupplied) Both occur when I click on Remote Apps from VPN Choices page. Link to comment Share on other sites More sharing options...
CarlStalhood Posted December 2, 2016 Share Posted December 2, 2016 Did you configure StoreFront to fully delegate to NetScaler Gateway? Is the callback configured? Any errors regarding the callback? Link to comment Share on other sites More sharing options...
Joe Brozzetti1709154126 Posted December 2, 2016 Author Share Posted December 2, 2016 Carl, My enabled auth methods are: Username/Password, SmartCard (we do not use, I was reading this is needed for this type of configuration), Pass-through NS Gateway. I clicked the Settings wheel on the Pass-through auth method and checked the box for Fully Delegate Credential. Now I see this error: Access is denied. Contact your system administrator. Citrix.DeliveryServices.Security.Authentication.Exceptions.MissingDomainException, Citrix.DeliveryServices.Security, Version=3.7.0.0, Culture=neutral, PublicKeyToken=e8b77d454fa2a856 The domain of the credential cannot be determined. at Citrix.DeliveryServices.Security.Authentication.UserInfo.Parse(String username, String domain, String defaultDomain, String password, Nullable`1 passwordExpired) at Citrix.DeliveryServices.Authentication.CitrixAGBasic.Controllers.CitrixAGBasicController.AuthenticateWithoutPassword(String username, String domain, AccessInfo accessInfo) at Citrix.DeliveryServices.Authentication.CitrixAGBasic.Controllers.CitrixAGBasicController.Authenticate() Link to comment Share on other sites More sharing options...
CarlStalhood Posted December 2, 2016 Share Posted December 2, 2016 Does jbrozzetti@domain.com match the UPN suffix configured on the user's Account tab in AD? Link to comment Share on other sites More sharing options...
Joe Brozzetti1709154126 Posted December 2, 2016 Author Share Posted December 2, 2016 No. Unfortunately the email above is our mail attribute. The UPN is jbrozzetti@domain.local Link to comment Share on other sites More sharing options...
Joe Brozzetti1709154126 Posted December 2, 2016 Author Share Posted December 2, 2016 Not sure if this matters but when we log into the Gateway I have sAMAccountName for server logon but I do not have anything configured for SSO Name Attribute. I have the mail attribute configured as an extraction. This is all on the LDAP part of the policy. Link to comment Share on other sites More sharing options...
CarlStalhood Posted December 2, 2016 Share Posted December 2, 2016 StoreFront uses the submitted email address to find a matching AD account. So the AD account's UPN must match the email address. You might have to add a UPN suffix to your domain and reconfigure (or add) accounts to match it. Link to comment Share on other sites More sharing options...
Joe Brozzetti1709154126 Posted December 2, 2016 Author Share Posted December 2, 2016 Do I need to do anything with KCD on the Netscaler for this work? Link to comment Share on other sites More sharing options...
CarlStalhood Posted December 2, 2016 Share Posted December 2, 2016 No. StoreFront, FAS, and Microsoft Certificate Authority handle this. Assuming there's an AD account with a UPN that matches the email address from the SAML token. Link to comment Share on other sites More sharing options...
Joe Brozzetti1709154126 Posted December 2, 2016 Author Share Posted December 2, 2016 Carl, When I sign into my Gateway, it is configured with a SAML policy only. The SAML policy points back to my AAA SAMLIDP which then connects to LDAP and sends me back to my GW. I have samAccountName as the Server Logon Name and UPN as the SSO Name Attribute. When I change the samAccountName to UPN (I have to logon with my email) but then Citrix works. So I at least know if I can get the UPN passed to Citrix instead of the sam it would work. Is there another way to have Citrix use the UPN I am capturing similar to how my SAML IDP uses HTTP.REQ.USER.ATTRIBUTE(1) to use the mail attribute I extracted when needed. Would I be able to use an SSO profile or something to look for "Citrix" in the URL and then use UPN? Or is the Gateway always going to use whatever the Server Logon Name is set to? Thanks for all your guidance! Link to comment Share on other sites More sharing options...
CarlStalhood Posted December 2, 2016 Share Posted December 2, 2016 The LDAP Policy/Server has a Single Sign-on Name Attribute. You can also create Traffic Policy to submit whatever attributes you want. http://www.carlstalhood.com/nfactor-authentication-for-netscaler-gateway-11-1/#nfactorsson 2 Link to comment Share on other sites More sharing options...
Joe Brozzetti1709154126 Posted December 3, 2016 Author Share Posted December 3, 2016 Carl that is exactly what I needed. The traffic policy with SSO User Expression HTTP.REQ.USER.ATTRIBUTE(2) worked for me. Many thanks. *For anyone else that runs into this, I used userPrincipalName as Attribute 2 in my LDAP and SAML IDP attribute extraction.* Link to comment Share on other sites More sharing options...
Kari Ruissalo Posted October 2, 2019 Share Posted October 2, 2019 We're experiencing a similar issue, but using Google as the IdP. We have configured the OAuth and the GW login itself works. If we enable client choices we can see the users email address as the logged in user in the top-right corner (user@company.com). However, our users UPN is different from the mail attribute (user@company.local), so I think the OAuth part is working ok. We are using AAA vServer for the authentication (we need OAuth and nFactor). If we do an nFactor where we have a no label LDAP extract configured that has "mail" as the login name attribute, I can see in the aaad.debug that the user can be found. In this policy I have configured the userPrincipalName to be stored in Attribute1 and sAMAccountname in Attribute2. If we configure a Traffic policy where the SSO User Expression is HTTP.REQ.USER.ATTRIBUTE(1) we get the similar event log error message: Access is denied. Contact your system administrator. Citrix.DeliveryServices.Security.Authentication.Exceptions.MissingDomainException, Citrix.DeliveryServices.Security, Version=3.11.0.0, Culture=neutral, PublicKeyToken=e8b77d454fa2a856 The domain of the credential cannot be determined. at Citrix.DeliveryServices.Security.Authentication.UserInfo.Parse(String username, String domain, String defaultDomain, String password, Nullable`1 passwordExpired) at Citrix.DeliveryServices.Authentication.CitrixAGBasic.Controllers.CitrixAGBasicController.AuthenticateWithoutPassword(String username, String domain, AccessInfo accessInfo) at Citrix.DeliveryServices.Authentication.CitrixAGBasic.Controllers.CitrixAGBasicController.Authenticate() We have also tried AAA.USER -expression as the old ones are deprecated, but it didn't help. We also tried to configure the attribute 1 in the login schema (no label), but it doesn't seem to have any effect here. We're running ADC 12.1-50.28 and SF 3.11. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now