Citrix Gateway with Azure SAML and login_hint parameter

[Robert Trasatti]

I have the Citrix gateway configured with the AAATM authentication server and nFactor authentication. The AAATM is configured to prompt the user for their email address and then nFactor makes a decision about how to authenticate the user. Some users authenticate with DUO Radius Proxy while others authenticate using Microsoft Azure and SAML. Everything is working as expected, the Citrix gateway prompts the user for their email address, makes a decision about how to authenticate them and in the case of the Azure users, it redirects them to the Microsoft Azure Enterprise App. They authenticate, answer the second factor challenge and Azure redirects them back to the ADC which directs them to the proper Storefront store which supports Citrix FAS to present the user with their published applications. The problem I am having is figuring out a way to add a parameter to the redirection URL being returned to the user by the Citrix ADC. I would like it to add the login_hint=<emailaddress> parameter so the user does not need to type their username twice. I have hard-coded this into the redirection URL of the SAML action to test it and it allows the user to bypass the user prompt at the Azure login and go straight to the password prompt. I have tried adding a Rewrite action and policy to the response object from the Citrix gateway but this never fires off. I can see that when the user clicks submit on the page where they enter their email address the browser posts to /nf/auth/doAuthentication.do this redirects to the /nf/auth/doSaml?act=<SAML ACTION NAME> and performs a GET. The Get returns an HTML page that does an automatic submit on page load and the form action contains the login.microsoft.com URL for the Azure tenant along with the SAML Request. If I could rewrite the HTML page returned by the ADC I should be able to add the parameter value to the redirection URL in the HTML body. Just not sure how to configure the rewrite rule or where to apply it. Should it be on the Citrix gateway or the AAATM virtual server? Any help or guidance would be appreciated. 

[Julian Jakob]

Hello Robert,

 

I‘m sorry that I will not be able to help you, I’m searching for exactly the same in https://discussions.citrix.com/topic/415214-send-upn-prefilled-from-adc-saml-sp-to-azure-ad-saml-idp/ so if there are any hints that I can test, please let me know. 
 

Regards

Julian

[Robert Trasatti]

Opened a case with Citrix, guess will see if they have an answer. If I find a solution, I will post it here.

[Anthony Curtis1709161499]

Anyone get traction on this? I'm also doing exactly the same thing and would like to prevent my users from typing their username twice.

[Jacob Dixon1709152413]

Did anyone get anywhere on this? I'm using the username only field to determine rather to send users to a SAML server or use LDAP+RADIUS. I cannot figure out how to send the username to the SAML server.

 

Mine is the same with ADC does a post to /nf/auth/doAuthentication.do which has the "login" payload but then it does a GET to /nf/auth/doSaml?ctx=<random> which does not have the login. I opened a ticket but still waiting.

[Jacob Dixon1709152413]

On 2/14/2022 at 12:38 PM, Robert Trasatti said:

Opened a case with Citrix, guess will see if they have an answer. If I find a solution, I will post it here.

 

Did you ever get a solution from Citrix?

[Robert Trasatti]

Worked with multiple support engineers from Citrix and it is not currently possible to do this. The response from the AAATM server and passed back to the user's browser through the Citrix gateway does not go through the rewrite policy engine so the policy never gets hit. They have filed a bug request and enhancement request to address the issue but no determination if they will fix it or how long it would take to address. My sales rep. is telling me that multiple people have complained about this, so hopefully that helps push it along. 

[Jeff Sani1709152246]

There is no way to customize that URL currently, and Rewrite policies will not fire for AAA traffic.  You can better understand why if you look at the Packet Flow diagram located here:

 

https://docs.citrix.com/en-us/citrix-adc/current-release/getting-started-with-citrix-adc.html

 

There may be another way to do this via Content Switching but the configuration might be a little ugly.

 

 

[Petr Jerabek]

It is possible to do it using 'loopback' nitro calls.

I just made it working using webauth against snip address (httpcallout does not work well for 'loopback' nitro calls), nfactor flow is a bit insane (I have a bit complicated setup because of azure multiple nic setup ha pair - not shared snip ips, I had to resolve how to handle active/passive node, two different paths in flow).

[Julian Jakob]

I had to dive into this and finally was able to get this to work. It's not possible with SAML, as Azure AD isn't supporting the login_hint. It's working fine when switching to OAuth. Here are the config details, hope this helps! https://www.julianjakob.com/citrix-netscaler-oauth-to-azure-ad-with-login_hint-subject-field/ 

[Robert Trasatti]

On 3/30/2023 at 10:03 AM, Julian Jakob said:

I had to dive into this and finally was able to get this to work. It's not possible with SAML, as Azure AD isn't supporting the login_hint. It's working fine when switching to OAuth. Here are the config details, hope this helps! https://www.julianjakob.com/citrix-netscaler-oauth-to-azure-ad-with-login_hint-subject-field/ 

Julian,

 

Thank you for updating this issue. Your solution worked perfectly.