Julian Jakob Posted January 10, 2022 Share Posted January 10, 2022 Hello, I'm using a nFactor config for extracting different UPNs on ADC (SAML SP) to send to different Azure AD's (SAML IdP). Config is like this one https://nerdscaler.com/2017/05/06/netscaler-gateway-saml-multiple-idps-nfactor/ User is entering their E-Mail (UPN) on ADC and get redirected to the fitting Azure AD. Now there's the "problem" - User has to enter their E-Mail (UPN), again. Is it possible to transfer / send the input E-Mail on ADC to Azure AD's Logonpage? I tried to use extracted Attributes, but I think Azure is ignoring this. Maybe a modification on Azure AD's part? First Step: Second Step: Thanks and best Regards Julian Link to comment Share on other sites More sharing options...
Johannes Norz Posted January 10, 2022 Share Posted January 10, 2022 Sure, Julian. It has to work. I am currently not able to give it a try, but did you try to use UPN as a SSO attribute in your authentication policy? Cheers Johannes Link to comment Share on other sites More sharing options...
Julian Jakob Posted January 13, 2022 Author Share Posted January 13, 2022 Hey Johannes, in SAML (SP) auth policy there is no SSO attribute, as authentication is happening on the IdP (Azure AD). I think in any option I have to send UPN and Azure AD has to paste this attribute into the logonpage, but I dont't know where these options are. Regards Julian Link to comment Share on other sites More sharing options...
Anthony Curtis1709161499 Posted March 1, 2022 Share Posted March 1, 2022 I'm looking to do the same thing, did you ever find a solution to this? Thanks! Link to comment Share on other sites More sharing options...
Jacob Dixon1709152413 Posted March 24, 2022 Share Posted March 24, 2022 On 1/10/2022 at 4:25 AM, Julian Jakob said: Hello, I'm using a nFactor config for extracting different UPNs on ADC (SAML SP) to send to different Azure AD's (SAML IdP). Config is like this one https://nerdscaler.com/2017/05/06/netscaler-gateway-saml-multiple-idps-nfactor/ User is entering their E-Mail (UPN) on ADC and get redirected to the fitting Azure AD. Now there's the "problem" - User has to enter their E-Mail (UPN), again. Is it possible to transfer / send the input E-Mail on ADC to Azure AD's Logonpage? I tried to use extracted Attributes, but I think Azure is ignoring this. Maybe a modification on Azure AD's part? Did you ever get this working? I opened a ticket but still looking for an answer Link to comment Share on other sites More sharing options...
Julian Jakob Posted March 30, 2022 Author Share Posted March 30, 2022 Not solved yet, opened a Case at Microsoft and hoping for a clear statement if the prefilled attributes for different AAD-Tenants for login.microsoftonline.com is customizable - or not. Link to comment Share on other sites More sharing options...
Jacob Dixon1709152413 Posted March 30, 2022 Share Posted March 30, 2022 18 minutes ago, Julian Jakob said: Not solved yet, opened a Case at Microsoft and hoping for a clear statement if the prefilled attributes for different AAD-Tenants for login.microsoftonline.com is customizable - or not. I opened a case with Citrix and I hope they can support passing a query string parameter or something. We use Deepnet Security and they did mention something about Azure and passing query strings to prefill the username on their portal, but I didn't ask much more. I will try to get more details when I talk to them again (hopefully today) Link to comment Share on other sites More sharing options...
CarlStalhood Posted March 30, 2022 Share Posted March 30, 2022 Maybe this: "Don't include a Subject element. Azure AD doesn't support specifying a subject for a request and will return an error if one is provided." https://docs.microsoft.com/en-us/azure/active-directory/develop/single-sign-on-saml-protocol Link to comment Share on other sites More sharing options...
Johannes Norz Posted August 21, 2022 Share Posted August 21, 2022 I just tried to extract the attribute userPrincipalName from LDAP and put it into the SAML assertion: add authentication ldapAction act_ldap -serverName 10.255.255.1 <...> -Attribute1 userPrincipalName Next I have to send it along with the SAML assertion: add authentication samlIdPProfile SAML_IDP_profile <...> -Attribute1 UPN -Attribute1Expr "AAA.USER.ATTRIBUTE(1)" (attributes in AAA.USER.ATTRIBUTE array align the numbers used in the GUI, as there is a non-numbered attribute as well) That way, there is an attribute called UPN containing the user-name in form of name@domain in the SAML IDP assertion. You could also send any attribute you like with the SAML IDP assertion. Link to comment Share on other sites More sharing options...
Thomas Klein Posted January 1, 2023 Share Posted January 1, 2023 Hello, i want to achieve the same goal as @Julian Jakob First step is the same as described, Login Schema with single Box for EMail, Authentication Policy is an LDAP Action with Group Extraction (LDAP Authentication disabled). Next step in nFactor is the SAML Action (SAML SP, NOT IdP) by redirecting to the O365 Login form, which should be prefilled with the (extracted from Group Enumeration) UPN and going straight forward to the O365 password form. So i'm afraid i do not understand the hint of @Johannes Norz correctly - in this case i do not use a SAML IdP on the Netscaler - or am i forced to configure SAML IdP on Netscaler to get this working? Perhaps you can clarify your thought of the SAML IdP a little bit more ? Thanks & best regards Thomas Link to comment Share on other sites More sharing options...
Johannes Norz Posted January 16, 2023 Share Posted January 16, 2023 On 1/1/2023 at 10:38 PM, Thomas Klein said: So i'm afraid i do not understand the hint of @Johannes Norz correctly - in this case i do not use a SAML IdP on the Netscaler - or am i forced to configure SAML IdP on Netscaler to get this working? Perhaps you can clarify your thought of the SAML IdP a little bit more ? Thanks & best regards Thomas Thomas, It takes two sides to get an attribute: The SP has to request, the IDP has to deliver. So you'll have to set up the SP on your NetScaler to request this attribute. At the same time, the IDP has to know how to retrieve this attribute and has to be willing to send it along with it's assertion. This might be true, or not, depending on the solution, and I can't answer your question, as I don't know your IDP. My answer had covered the IDP side on a NetScaler (I didn't get, it's not a NetScaler). For the SP side, requesting the attribute is done in the > More section. Sure, it's easy if you own both sides, and both sides are NetScalers. It may turn out to be tricky, if you don't control the IDP. Link to comment Share on other sites More sharing options...
Julian Jakob Posted March 30, 2023 Author Share Posted March 30, 2023 I had to dive into this and finally was able to get this to work. It's not possible with SAML, as Azure AD isn't supporting the login_hint. It's working fine when switching to OAuth. Here are the config details, hope this helps! https://www.julianjakob.com/citrix-netscaler-oauth-to-azure-ad-with-login_hint-subject-field/ 1 Link to comment Share on other sites More sharing options...
Thomas Klein1709152845 Posted June 5, 2023 Share Posted June 5, 2023 Perfect. Works exactly as i initially wanted to ? Many thanks, Julian! Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now