netscaler nfactor SAML + EPA

[Aleksandar Popovic1709154801]

Hi all,

Netscaler gateway wersion  12.1

 

License ADC VPX 1000 platinum

 

Gateway Vserver configured in “smart” mode. ICA Only not selected . Session profile configured in ICA Proxy ON

 

AAA vserver configured without ip address. One authentication policy defined

Authentication policy has two factors. EPA scan without schema and SAML without schema

 

For SAML policy expression is set to TRUE and action is set to SAML server connected to Azure. Goto expression is next and next nfactor is set

 

For EPA that is next factor, policy expression is set to TRU and action is set to SCAN if OS is WIN 10. Goto expression is END

 

When authentication profile is set in Gateway Vserver, firs factor (SAML) is executed and after that process starts to LOOP and second factor is never executed (just looping)

 

If order of policies is changed in authentication policy in Authentication Vserver, and EPA is first factor (same scan only goto expression is now NEXT) and SAM second, EPA scan is executed as expected and second factor is activated. After entering credentials error is displayed

 

"Sorry, but we're having trouble signing you in

AADSTS7500525: There was an XML error in the SAML message at line 1, position 687. Verify that the XML content of the SAML messages conforms to the SAML protocol specifications"

 

If SAML is set only, all is working expected.

 

If we test nFactor with LDAP and EPA (singlefactor schema is used for LDAP policy) all is working as expected.

 

how can i examine if something is added to XML file by netscaler?

 

thank you 

[Siddhartha Sarmah]

Known issue - #NSHELP-2137, fixed in 12.1.50.31 onward

https://docs.citrix.com/en-us/citrix-adc/downloads/release-notes-12-1-50-31.html