Send UPN prefilled from ADC (SAML SP) to Azure AD (SAML IdP)

[Julian Jakob]

Hello,

 

I'm using a nFactor config for extracting different UPNs on ADC (SAML SP) to send to different Azure AD's (SAML IdP). Config is like this one https://nerdscaler.com/2017/05/06/netscaler-gateway-saml-multiple-idps-nfactor/ 

 

User is entering their E-Mail (UPN) on ADC and get redirected to the fitting Azure AD. Now there's the "problem" - User has to enter their E-Mail (UPN), again. Is it possible to transfer / send the input E-Mail on ADC to Azure AD's Logonpage? I tried to use extracted Attributes, but I think Azure is ignoring this. Maybe a modification on Azure AD's part?

 

First Step:

 

Second Step:

 

Thanks and best Regards

Julian

[Johannes Norz]

Sure, Julian. It has to work. I am currently not able to give it a try, but did you try to use UPN as a SSO attribute in your authentication policy?

 

Cheers

 

Johannes

[Julian Jakob]

Hey Johannes, in SAML (SP) auth policy there is no SSO attribute, as authentication is happening on the IdP (Azure AD). I think in any option I have to send UPN and Azure AD has to paste this attribute into the logonpage, but I dont't know where these options are.

 

Regards

Julian

[Anthony Curtis1709161499]

I'm looking to do the same thing, did you ever find a solution to this?

 

Thanks!

[Jacob Dixon1709152413]

On 1/10/2022 at 4:25 AM, Julian Jakob said:

Hello,

 

I'm using a nFactor config for extracting different UPNs on ADC (SAML SP) to send to different Azure AD's (SAML IdP). Config is like this one https://nerdscaler.com/2017/05/06/netscaler-gateway-saml-multiple-idps-nfactor/ 

 

User is entering their E-Mail (UPN) on ADC and get redirected to the fitting Azure AD. Now there's the "problem" - User has to enter their E-Mail (UPN), again. Is it possible to transfer / send the input E-Mail on ADC to Azure AD's Logonpage? I tried to use extracted Attributes, but I think Azure is ignoring this. Maybe a modification on Azure AD's part?

 

Did you ever get this working? I opened a ticket but still looking for an answer

[Julian Jakob]

Not solved yet, opened a Case at Microsoft and hoping for a clear statement if the prefilled attributes for different AAD-Tenants for login.microsoftonline.com is customizable - or not.

[Jacob Dixon1709152413]

18 minutes ago, Julian Jakob said:

Not solved yet, opened a Case at Microsoft and hoping for a clear statement if the prefilled attributes for different AAD-Tenants for login.microsoftonline.com is customizable - or not.

 

I opened a case with Citrix and I hope they can support passing a query string parameter or something. We use Deepnet Security and they did mention something about Azure and passing query strings to prefill the username on their portal, but I didn't ask much more. I will try to get more details when I talk to them again (hopefully today)

[CarlStalhood]

Maybe this: "Don't include a Subject element. Azure AD doesn't support specifying a subject for a request and will return an error if one is provided." https://docs.microsoft.com/en-us/azure/active-directory/develop/single-sign-on-saml-protocol

[Johannes Norz]

I just tried to extract the attribute userPrincipalName from LDAP and put it into the SAML assertion:
 

add authentication ldapAction act_ldap -serverName 10.255.255.1 <...> -Attribute1 userPrincipalName

 

Next I have to send it along with the SAML assertion:

add authentication samlIdPProfile SAML_IDP_profile <...>  -Attribute1 UPN -Attribute1Expr "AAA.USER.ATTRIBUTE(1)"

 

(attributes in AAA.USER.ATTRIBUTE array align the numbers used in the GUI, as there is a non-numbered attribute as well)

 

That way, there is an attribute called UPN containing the user-name in form of name@domain in the SAML IDP assertion. You could also send any attribute you like with the SAML IDP assertion.

[Thomas Klein]

Hello,

i want to achieve the same goal as @Julian Jakob

First step is the same as described, Login Schema with single Box for EMail, Authentication Policy is an LDAP Action with Group Extraction (LDAP Authentication disabled).

Next step in nFactor is the SAML Action (SAML SP, NOT IdP) by redirecting to the O365 Login form, which should be prefilled with the (extracted from Group Enumeration) UPN and going straight forward to the O365 password form.

 

So i'm afraid i do not understand the hint of @Johannes Norz correctly - in this case i do not use a SAML IdP on the Netscaler -  or am i forced to configure SAML IdP on Netscaler to get this working? Perhaps you can clarify your thought of the SAML IdP a little bit more ?

 

Thanks & best regards

Thomas

[Johannes Norz]

On 1/1/2023 at 10:38 PM, Thomas Klein said:

So i'm afraid i do not understand the hint of @Johannes Norz correctly - in this case i do not use a SAML IdP on the Netscaler -  or am i forced to configure SAML IdP on Netscaler to get this working? Perhaps you can clarify your thought of the SAML IdP a little bit more ?

 

Thanks & best regards

Thomas

Thomas,

 

It takes two sides to get an attribute: The SP has to request, the IDP has to deliver. So you'll have to set up the SP on your NetScaler to request this attribute. At the same time, the IDP has to know how to retrieve this attribute and has to be willing to send it along with it's assertion. This might be true, or not, depending on the solution, and I can't answer your question, as I don't know your IDP.

 

My answer had covered the IDP side on a NetScaler (I didn't get, it's not a NetScaler). For the SP side, requesting the attribute is done in the > More section.

Sure, it's easy if you own both sides, and both sides are NetScalers. It may turn out to be tricky, if you don't control the IDP.

[Julian Jakob]

I had to dive into this and finally was able to get this to work. It's not possible with SAML, as Azure AD isn't supporting the login_hint. It's working fine when switching to OAuth. Here are the config details, hope this helps! https://www.julianjakob.com/citrix-netscaler-oauth-to-azure-ad-with-login_hint-subject-field/ 

[Thomas Klein1709152845]

Perfect. Works exactly as i initially wanted to ? 

Many thanks, Julian!