Netscaler 11.1 Unified Gateway - Storefront 3.7 - SAML

[Joe Brozzetti1709154126]

Hi all,

 

Looking for some guidance using SAML with Storefront 3.7.

 

Here is my scenario:

 

We have a working Unified Gateway (gateway.domain.com).  I can login with my sAMaccountName, which is what we want.  I have a SAML policy bound to the UG that accepts the sAM and passes me over to our AAA.  I am extracting Mail as Attribute 1 on the LDAP side.  After the SAM logon completes the VPN Choices page displays my email address as the logged in user.  That seems normal to me for a SAML login.

 

We have several 3rd party SAML sites that use email address to authenticate and are working fine.  I have a SAML IDP configured on the UG for these sites using HTTP.REQ.USER.ATTRIBUTE(1) so it is passing the Mail attribute I configured on the AAA.

 

Storefront logon is failing.  If I go to storefront.domain.local I can login with SAM but not my email address which I assume is expected?

 

I am not quite sure how to integrate Storefront login with the UPN if even possible.  I used Carl's guide to install the Federated service offered in 3.7.   

 

I ran a trace and the /cgi/GetUserName call my email address is in the Response.  

 

I configured the Netscaler Gateway in Storefront I am using gateway.domain.com for the NS Gateway and Callback which is the URL for the Unified Gateway.

 

Any help appreciated, I know it's tough in a vacuum.  Thanks!

 

 

 

[Joe Brozzetti1709154126]

First Error in Event Log:

 

CitrixAGBasic single sign-on failed because the credentials failed verification with reason: Failed.

 

The credentials supplied were;

user: jbrozzetti@domain.com

 

Second Error:

 

A CitrixAGBasic Login request has failed.

Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticatorException, Citrix.DeliveryServicesClients.Authentication, Version=3.7.0.0, Culture=neutral, PublicKeyToken=null

Authenticate encountered an exception.

   at Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticator.Authenticate(HttpRequestBase clientRequest, Boolean& passwordSupplied)

   at Citrix.Web.AuthControllers.Controllers.GatewayAuthController.Login()

 

System.Net.WebException, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089

The remote server returned an error: (403) Forbidden.

Url: https://127.0.0.1/Citrix/SAMLAuth/CitrixAGBasic/Authenticate

ExceptionStatus: ProtocolError

ResponseStatus: Forbidden

   at System.Net.HttpWebRequest.GetResponse()

   at Citrix.DeliveryServicesClients.Utilities.HttpHelpers.ReceiveResponse(HttpWebRequest req)

   at Citrix.DeliveryServicesClients.Authentication.TokenIssuingClient.RequestToken(String url, RequestToken requestToken, String primaryToken, String languages, CookieContainer cookieContainer, IEnumerable`1 acceptedResponseTypes, IDictionary`2 additionalHeaders)

   at Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticator.Authenticate(HttpRequestBase clientRequest, Boolean& passwordSupplied)

 

Both occur when I click on Remote Apps from VPN Choices page.

[CarlStalhood]

Did you configure StoreFront to fully delegate to NetScaler Gateway?

 

Is the callback configured? Any errors regarding the callback?

[Joe Brozzetti1709154126]

Carl,

 

My enabled auth methods are:  Username/Password, SmartCard (we do not use, I was reading this is needed for this type of configuration), Pass-through NS Gateway.  I clicked the Settings wheel on the Pass-through auth method and checked the box for Fully Delegate Credential.

 

Now I see this error:

 

Access is denied. Contact your system administrator.

Citrix.DeliveryServices.Security.Authentication.Exceptions.MissingDomainException, Citrix.DeliveryServices.Security, Version=3.7.0.0, Culture=neutral, PublicKeyToken=e8b77d454fa2a856

The domain of the credential cannot be determined.

   at Citrix.DeliveryServices.Security.Authentication.UserInfo.Parse(String username, String domain, String defaultDomain, String password, Nullable`1 passwordExpired)

   at Citrix.DeliveryServices.Authentication.CitrixAGBasic.Controllers.CitrixAGBasicController.AuthenticateWithoutPassword(String username, String domain, AccessInfo accessInfo)

   at Citrix.DeliveryServices.Authentication.CitrixAGBasic.Controllers.CitrixAGBasicController.Authenticate()

[CarlStalhood]

Does jbrozzetti@domain.com match the UPN suffix configured on the user's Account tab in AD?

[Joe Brozzetti1709154126]

No.  Unfortunately the email above is our mail attribute.  The UPN is jbrozzetti@domain.local

[Joe Brozzetti1709154126]

Not sure if this matters but when we log into the Gateway I have sAMAccountName for server logon but I do not have anything configured for SSO Name Attribute.  

 

I have the mail attribute configured as an extraction.  This is all on the LDAP part of the policy.

[CarlStalhood]

StoreFront uses the submitted email address to find a matching AD account. So the AD account's UPN must match the email address. You might have to add a UPN suffix to your domain and reconfigure (or add) accounts to match it.

[Joe Brozzetti1709154126]

Do I need to do anything with KCD on the Netscaler for this work?

[CarlStalhood]

No. StoreFront, FAS, and Microsoft Certificate Authority handle this. Assuming there's an AD account with a UPN that matches the email address from the SAML token.

[Joe Brozzetti1709154126]

Carl,

 

When I sign into my Gateway, it is configured with a SAML policy only.  The SAML policy points back to my AAA SAMLIDP which then connects to LDAP and sends me back to my GW.  I have samAccountName as the Server Logon Name and UPN as the SSO Name Attribute.  

 

When I change the samAccountName to UPN (I have to logon with my email) but then Citrix works.  So I at least know if I can get the UPN passed to Citrix instead of the sam it would work.  

 

Is there another way to have Citrix use the UPN I am capturing similar to how my SAML IDP uses HTTP.REQ.USER.ATTRIBUTE(1) to use the mail attribute I extracted when needed. Would I be able to use an SSO profile or something to look for "Citrix" in the URL and then use UPN?

 

Or is the Gateway always going to use whatever the Server Logon Name is set to?  

 

Thanks for all your guidance!

[CarlStalhood]

The LDAP Policy/Server has a Single Sign-on Name Attribute.

 

You can also create Traffic Policy to submit whatever attributes you want. http://www.carlstalhood.com/nfactor-authentication-for-netscaler-gateway-11-1/#nfactorsson

[Joe Brozzetti1709154126]

Carl that is exactly what I needed.  The traffic policy with SSO User Expression HTTP.REQ.USER.ATTRIBUTE(2) worked for me.  Many thanks.  

 

*For anyone else that runs into this, I used userPrincipalName as Attribute 2 in my LDAP and SAML IDP attribute extraction.*

[Kari Ruissalo]

We're experiencing a similar issue, but using Google as the IdP. We have configured the OAuth and the GW login itself works.

 

If we enable client choices we can see the users email address as the logged in user in the top-right corner (user@company.com). However, our users UPN is different from the mail attribute (user@company.local), so I think the OAuth part is working ok.

 

We are using AAA vServer for the authentication (we need OAuth and nFactor).

 

If we do an nFactor where we have a no label LDAP extract configured that has "mail" as the login name attribute, I can see in the aaad.debug that the user can be found. In this policy I have configured the userPrincipalName to be stored in Attribute1 and sAMAccountname in Attribute2.

 

If we configure a Traffic policy where the SSO User Expression is HTTP.REQ.USER.ATTRIBUTE(1) we get the similar event log error message:

Access is denied. Contact your system administrator.
Citrix.DeliveryServices.Security.Authentication.Exceptions.MissingDomainException, Citrix.DeliveryServices.Security, Version=3.11.0.0, Culture=neutral, PublicKeyToken=e8b77d454fa2a856
The domain of the credential cannot be determined.
   at Citrix.DeliveryServices.Security.Authentication.UserInfo.Parse(String username, String domain, String defaultDomain, String password, Nullable`1 passwordExpired)
   at Citrix.DeliveryServices.Authentication.CitrixAGBasic.Controllers.CitrixAGBasicController.AuthenticateWithoutPassword(String username, String domain, AccessInfo accessInfo)
   at Citrix.DeliveryServices.Authentication.CitrixAGBasic.Controllers.CitrixAGBasicController.Authenticate()

We have also tried AAA.USER -expression as the old ones are deprecated, but it didn't help. We also tried to configure the attribute 1 in the login schema (no label), but it doesn't seem to have any effect here.

 

We're running ADC 12.1-50.28 and SF 3.11.