How to Configure NetScaler for Web Authentication with Vasco and Use the Extracted Attributes for SSO to StoreFront

How to Configure NetScaler for Web Authentication with Vasco and Use the Extracted Attributes for SSO to StoreFront

book

Article ID: CTX200819

calendar_today

Updated On:

Description

This article explains how to configure NetScaler for web authentication with Vasco and use the extracted attributes for SSO to StoreFront server.

Prerequisites

  1. NetScaler version 10.5.54.x
  2. StoreFront version: 2.4 and above
  3. XenApp server : 5.6 and above

Setup Information

NSIP: 10.217.22.220
MIP: 10.217.22.221
VIP Vserver: 10.217.22.226

StoreFront server: 10.217.22.236 version: 2.6
XenApp server: 10.217.22.236 version: 6.5
STA service IP: Port: 10.217.22.236:80

Vasco IDENTIKEY server: 10.217.22.197 Port: 8888 Protocol: SSL

User Login: user2/Citrix123 (This is the user account created in Vasco Server, same user credentials exist in Active Directory).


Instructions

StoreFront Configuration

  1. Open Citrix StoreFront console, select Create a Store option. Provide a name for the store. In my case, I gave ‘nsslvpn’ as store name.

  2. Select Delivery Controller; choose XenAPP/XenDesktop based on the deployment and specify IP address, port of the server. In my case, I chose XenAPP 6.5 or earlier and specified 10.217.22.236:80 (HTTP).

  3. In Remote Access section choose ‘No VPN Tunnel’ for ICA Proxy mode, otherwise choose ‘Full VPN Tunnel’.

  4. Select the NetScaler Gateway appliance if it is already configured. Otherwise add it. For example, use below screen shot as a reference.

    User-added image
  5. Specify STA server IP and complete NetScaler appliance settings.

    User-added image
  6. After completing Remote Access configuration, choose that NetScaler Gateway and complete StoreFront configuration.

NetScaler Configuration

  1. Expression to extract Username from /cgi/login request:

    add policy expression user_name "http.REQ.BODY(1000).SET_TEXT_MODE(IGNORECASE). AFTER_STR(\"login=\").BEFORE_STR(\"&\")"
  2. Expression to extract Password from /cgi/login request:

    add policy expression user_pwd "http.REQ.BODY(1000).SET_TEXT_MODE(IGNORECASE). AFTER_STR(\"passwd=\")"
  3. Create WebAuth Action with Vasco server IP, Port and scheme settings.
    Text highlighted in Yellow explains how the username and password expressions in Step 1 and Step 2 are used
    Text highlighted in Grey explains on what basis NetScaler treats it as a successful authentication.
    Text highlighted in Red explains how the username and password are extracted from the Vasco server response.

    add authentication webAuthAction Vasco_1 - serverIP 10.217.22.197 -serverPort 8888 - fullReqExpr q{"POST / HTTP/" + http.req.version.major + "." + http.req.version.major + "\r\nAccept:*/*\r\nHost: Vasco.nsi- test.com\r\nReferer: https://vasco.nsi- test.com:8888\r\nAccept-Language: en-US" + "\r\nContent-Length: 2000\r\n\r\n" + "<soapenv:Envelope\rxmlns:soapenv=\"http://sche mas.xmlsoap.org/soap/envelope/\"\rxmlns:xsd=\"h ttp://www.w3.org/2001/XMLSchema\"\rxmlns:xsi=\" http://www.w3.org/2001/XMLSchema- instance\"\rxmlns:aut=\"http://www.vasco.com/Id entikeyServer/IdentikeyTypes/Authentication\">\ r" + "\n<soapenv:Header/>\r\n<soapenv:Body>\r\n<aut: authUser>\r\n<credentialAttributeSet>\r\n<attri butes>\r\n<value xsi:type=\"xsd:string\">"+ user_name +
    "</value>\r\n<attributeID>CREDFLD_USERID</attri buteID>\r\n</attributes>\r\n<attributes>\r\n<va lue xsi:type=\"xsd:string\">nsi- test.com</value>\r\n<attributeID>CREDFLD_DOMAIN
    </attributeID>\r\n</attributes>\r\n<attributes>
    \r\n<value xsi:type=\"xsd:string\">" + user_pwd
    +
    "</value>\r\n<attributeID>CREDFLD_PASSWORD</att ributeID>\r\n</attributes>\r\n<attributes>\r\n< value xsi:type=\"xsd:string\">NetScaler_221</value>\r
    \n<attributeID>CREDFLD_COMPONENT_TYPE</attribut eID>\r\n</attributes>\r\n<attributes>\r\n<value xsi:type=\"xsd:unsignedInt\">" + 0 + "</value>\r\n<attributeID>CREDFLD_PASSWORD_FORM AT</attributeID>\r\n</attributes>\r\n</credenti alAttributeSet>\r\n</aut:authUser>\r\n</soapenv
    :Body>\r\n</soapenv:Envelope>"} -scheme https - successRule "http.res.status.eq(200) && HTTP.RES.BODY(10000).REGEX_MATCH(re/\\STAT_SUCC
    ESS/)" -Attribute1 "HTTP.RES.BODY(10000).XPATH(xp%//attributes[1]/ value%)" -Attribute2 "HTTP.RES.BODY(10000).XPATH(xp%//attributes[2]/ value%)" -Attribute3 "HTTP.RES.BODY(10000).XPATH(xp%//attributes[3]/ value%)"
    add authentication webAuthPolicy Vasco_1 -rule ns_true -action Vasco_1

    At the time of Response evaluation, NetScaler looks for STATUS CODE returned in the response, if the STATUS Code is STAT_SUCCESS then it treats as successful authentication otherwise failed authentication. If the status code matches then NetScaler will extract the configured attributes.

  4. Create a VPN vserver, bind WebAuth policy created above (Step 3), bind STA service.

    add vpn vserver vpn2 SSL 10.217.22.226 443
    bind ssl vserver vpn2 dmn12
    bind ssl vserver vpn2 -certkeyName nsi-ca -CA - ocspCheck Optional
    bind ssl vserver vpn2 -certkeyName dmn12CA -CA -ocspCheck Optional
    bind vpn vserver vpn2 -policy Vasco_1 -priority 10
    bind vpn vserver vpn2 -staServer "http://xa.dmn12.nsi-test.com"
  5. Create a VPN session policy, specify – StoreFronturl, -wihome options in Sessionaction.

    add vpn sessionAction wisso -SSO ON - ssoCredential PRIMARY -icaProxy ON -wihome "https://xa.dmn12.nsi- test.com/Citrix/nsslvpnweb" -ntDomain DMN12.NSI-TEST.COM -StoreFronturl "https://xa.dmn12.nsi- test.com/Citrix/nsslvpnWeb" -kcdAccount NONE
    add vpn sessionPolicy wisso ns_true wisso
    bind vpn vserver vpn2 -policy wisso
  6. Create a VPN traffic policy with extracted user attributes and bind it to VPN vserver.

The reason to use http.req.user.attribute(1) and http.req.user.attribute(3) is because user name and password extracted from Vasco are there in those attributes.

In the following config, text highlighted in RED specifies the rule when the traffic action to evaluate.

add vpn trafficAction vpn-sso http -SSO ON -
userExpression "http.req.user.attribute(1)" -
passwdExpression "http.req.user.attribute(3)"
add vpn trafficPolicy vpn-sso "REQ.HTTP.URL
  CONTAINS Citrix/nsslvpnWeb" vpn-sso
bind vpn vserver vpn2 -policy vpn-sso

SOAP Request, Responses (Posted and Received by NetScaler)

POST / HTTP/1.1
Accept:*/*
Host: Vasco.nsi-test.com
Referer: https://vasco.nsi-test.com:8888
Accept-Language: en-US
Content-Length: 1030
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/enve lope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema- instance" xmlns:aut="http://www.vasco.com/IdentikeyServer/Ide ntikeyTypes/Authentication">
 <soapenv:Header/>
 <soapenv:Body>
 <aut:authUser>
 <credentialAttributeSet>
 <attributes>
<value xsi:type="xsd:string">user2</value> <attributeID>CREDFLD_USERID</attributeID> </attributes>
<attributes>
<value xsi:type="xsd:string">nsi-test.com</value> <attributeID>CREDFLD_DOMAIN</attributeID> </attributes>
<attributes>
<value xsi:type="xsd:string">1Citrix</value> <attributeID>CREDFLD_PASSWORD</attributeID> </attributes>
<attributes>
<value xsi:type="xsd:string">NetScaler_221</value> <attributeID>CREDFLD_COMPONENT_TYPE</attributeID> </attributes>
<attributes>
<value xsi:type="xsd:unsignedInt">0</value> <attributeID>CREDFLD_PASSWORD_FORMAT</attributeID> </attributes>
</credentialAttributeSet>
</aut:authUser>
</soapenv:Body>
</soapenv:Envelope>HTTP/1.1 200 OK
Server: gSOAP/2.8
 Content-Type: text/xml; charset=utf-8
 Content-Length: 7630
 Connection: keep-alive
 <?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope xmlns:SOAP- ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:SOAP- ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema- instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xop="http://www.w3.org/2004/08/xop/include" xmlns:CREDENTIAL- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/CredentialTypes.xsd" xmlns:USER- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/UserTypes.xsd" xmlns:BACKEND- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/BackEndTypes.xsd" xmlns:COMPONENT- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/ComponentTypes.xsd" xmlns:CONFIGURATION- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/ConfigurationTypes.xsd" xmlns:DIGIPASS- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/DigipassTypes.xsd" xmlns:DOMAIN- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/DomainTypes.xsd" xmlns:ORGUNIT- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/OrgunitTypes.xsd" xmlns:USER-ATTRIBUTE- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/UserAttributeTypes.xsd" xmlns:DIGIPASSAPPL- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/DigipassApplTypes.xsd" xmlns:POLICY- TYPES="http://www.vasco.com/IdentikeyServer/Identik
eyTypes/PolicyTypes.xsd" xmlns:REPLICATION- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/ReplicationTypes.xsd" xmlns:REPORTFORMAT- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/ReportFormatTypes.xsd" xmlns:REPORTFIELD- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/ReportFieldTypes.xsd" xmlns:REPORT- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/ReportTypes.xsd" xmlns:DPXFILE- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/DPXFileTypes.xsd" xmlns:USERFILE- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/UserFileTypes.xsd" xmlns:ADMINSESSION- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/AdminSessionTypes.xsd" xmlns:OFFLINEDATA- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/OfflineDataTypes.xsd" xmlns:RADIUSDICT- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/RadiusDictTypes.xsd" xmlns:BACKENDSERVERGROUP- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/BackEndServerGroupTypes.xsd" xmlns:TASK- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/TaskTypes.xsd" xmlns:KEY- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/KeyTypes.xsd" xmlns:REPORTFILE- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/ReportFileTypes.xsd" xmlns:TIMEZONELIST- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/TimeZoneListTypes.xsd" xmlns:BASIC- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/BasicTypes.xsd" xmlns:EMVCAP- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/EmvCapTypes.xsd" xmlns:PROVISIONING- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/ProvisioningTypes.xsd" xmlns:SERVER- CONFIGURATION- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/ServerConfigurationTypes.xsd" xmlns:SIGNATURE-
TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/SignatureTypes.xsd" xmlns:ADMIN- SCENARIO="http://www.vasco.com/IdentikeyServer/Scen arios/Administration" xmlns:ADMIN- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/Administration" xmlns:AUTH- SCENARIO="http://www.vasco.com/IdentikeyServer/Scen arios/Authentication" xmlns:AUTH- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/Authentication" xmlns:EMVCAPAUTH- SCENARIO="http://www.vasco.com/IdentikeyServer/Scen arios/EmvCapAuthentication" xmlns:EMVCAP-AUTH- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/EmvCapAuthentication" xmlns:PROV- SCENARIO="http://www.vasco.com/IdentikeyServer/Scen arios/Provisioning" xmlns:PROV- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/Provisioning" xmlns:SERVERCFG- SCENARIO="http://www.vasco.com/IdentikeyServer/Scen arios/ServerConfiguration" xmlns:SERVERCFG- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/ServerConfiguration" xmlns:SIGN- SCENARIO="http://www.vasco.com/IdentikeyServer/Scen arios/Signature" xmlns:SIGN- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/Signature"><SOAP-ENV:Header></SOAP- ENV:Header><SOAP-ENV:Body><AUTH- TYPES:authUserResponse><authUserResults xsi:type="AUTH-TYPES:AuthUserResults"><results xsi:type="CREDENTIAL- TYPES:CredentialResults"><resultCodes xsi:type="BASIC- TYPES:ResultCodes"><returnCodeEnum>RET_SUCCESS</ret urnCodeEnum><statusCodeEnum>STAT_SUCCESS</statusCod eEnum><returnCode>0</returnCode><statusCode>0</stat usCode></resultCodes><resultAttribute xsi:type="CREDENTIAL- TYPES:CredentialAttributeSet"><attributes xsi:type="CREDENTIAL- TYPES:CredentialAttribute"><value
xsi:type="xsd:string">user2</value><attributeID>CRE DFLD_USERID</attributeID></attributes><attributes xsi:type="CREDENTIAL- TYPES:CredentialAttribute"><value xsi:type="xsd:string">nsi- test.com</value><attributeID>CREDFLD_DOMAIN</attrib uteID></attributes><attributes xsi:type="CREDENTIAL- TYPES:CredentialAttribute"><attributeOptions xsi:type="BASIC- TYPES:AttributeOptions"><masked>true</masked></attr ibuteOptions><value xsi:type="xsd:string">1Citrix</value><attributeID>C REDFLD_STATIC_PASSWORD</attributeID></attributes><a ttributes xsi:type="CREDENTIAL- TYPES:CredentialAttribute"><value xsi:type="xsd:string">nsi- test.com</value><attributeID>CREDFLD_ORGANIZATIONAL _UNIT</attributeID></attributes></resultAttribute>< errorStack xsi:type="BASIC- TYPES:ErrorStack"></errorStack></results><userAttri buteList xsi:type="USER-ATTRIBUTE- TYPES:UserAttributeAttributeList"><attributeList xsi:type="USER-ATTRIBUTE- TYPES:UserAttributeAttributeSet"><attributes xsi:type="USER-ATTRIBUTE- TYPES:UserAttributeAttribute"><value xsi:type="xsd:string">nsi- test.com</value><attributeID>UATTFLD_DOMAIN</attrib uteID></attributes><attributes xsi:type="USER- ATTRIBUTE-TYPES:UserAttributeAttribute"><value xsi:type="xsd:string">user2</value><attributeID>UAT TFLD_USERID</attributeID></attributes><attributes xsi:type="USER-ATTRIBUTE- TYPES:UserAttributeAttribute"><value xsi:type="xsd:string">User- Data</value><attributeID>UATTFLD_ATTR_GROUP</attrib uteID></attributes><attributes xsi:type="USER- ATTRIBUTE-TYPES:UserAttributeAttribute"><value xsi:type="xsd:int">1</value><attributeID>UATTFLD_SE
Q_NO</attributeID></attributes><attributes xsi:type="USER-ATTRIBUTE- TYPES:UserAttributeAttribute"><value xsi:type="xsd:string">Reply- Message</value><attributeID>UATTFLD_NAME</attribute ID></attributes><attributes xsi:type="USER- ATTRIBUTE-TYPES:UserAttributeAttribute"><value xsi:type="xsd:string">Reply</value><attributeID>UAT TFLD_USAGE_QUALIFIER</attributeID></attributes><att ributes xsi:type="USER-ATTRIBUTE- TYPES:UserAttributeAttribute"><attributeOptions xsi:type="BASIC- TYPES:AttributeOptions"><masked>true</masked></attr ibuteOptions><value xsi:type="xsd:string">Success</value><attributeID>U ATTFLD_VALUE</attributeID></attributes><attributes xsi:type="USER-ATTRIBUTE- TYPES:UserAttributeAttribute"><value xsi:type="xsd:dateTime">2014-11- 16T21:17:52Z</value><attributeID>UATTFLD_CREATE_TIM E</attributeID></attributes><attributes xsi:type="USER-ATTRIBUTE- TYPES:UserAttributeAttribute"><value xsi:type="xsd:dateTime">2014-11- 16T21:17:52Z</value><attributeID>UATTFLD_MODIFY_TIM E</attributeID></attributes><attributes xsi:type="USER-ATTRIBUTE- TYPES:UserAttributeAttribute"><value xsi:type="xsd:unsignedInt">1</value><attributeID>UA TTFLD_OPTIONS</attributeID></attributes></attribute List></userAttributeList></authUserResults></AUTH- TYPES:authUserResponse></SOAP-ENV:Body></SOAP- ENV:Envelope>

Debugging Section

1. To verify if the values are extracted from web authentication run, ‘tail –f /var/log/ns.log’

Vasco Configuration:

User Settings:

User-added image

User-added image

User-added image

Policy Configuration:

User-added image

User-added image

User-added image

User-added image

User-added image

User-added image

User-added image

User-added image

User-added image

User-added image

User-added image

Client Configuration: (Configuring NetScaler: SNIP/MIP as the client)

User-added image

User-added image

Backend Configuration:

User-added image

Organization Configuration:

User-added image

Servers List:

User-added image

IAS Configuration Screenshots:

User-added image

User-added image

How to Identify Login Success/Failure

SOAP request:

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/enve lope/"  xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema- instance" xmlns:aut="http://www.vasco.com/IdentikeyServer/Ide ntikeyTypes/Authentication">
<soapenv:Header/>
<soapenv:Body>
<aut:authUser>
<credentialAttributeSet>

<attributes>
<value xsi:type="xsd:string">user2</value>

<attributeID>CREDFLD_USERID</attributeID>
</attributes>
<attributes>
<value xsi:type="xsd:string">nsi-test.com</value>

<attributeID>CREDFLD_DOMAIN</attributeID>
</attributes>
<attributes>
<value xsi:type="xsd:string">1Citrix</value>

<attributeID>CREDFLD_PASSWORD</attributeID>
</attributes>
<attributes>
<value xsi:type="xsd:string">Perl_Client</value>

<attributeID>CREDFLD_COMPONENT_TYPE</attributeID>
</attributes>
<attributes>
<value xsi:type="xsd:string">nsi-test.com</value>

<attributeID>CREDFLD_ORGANIZATIONAL_UNIT</attrib uteID>
</attributes>
<attributes>
<value xsi:type="xsd:unsignedInt">0</value>

<attributeID>CREDFLD_PASSWORD_FORMAT</attributeID>
</attributes>
</credentialAttributeSet>
</aut:authUser>
</soapenv:Body>
</soapenv:Envelope>

Successful Authentication SOAP Response

HTTP/1.1 200 OK
Server: gSOAP/2.8
Content-Type: text/xml; charset=utf-8 Content-Length: 7630
Connection: keep-alive

<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope xmlns:SOAP- ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:SOAP- ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema- instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xop="http://www.w3.org/2004/08/xop/include" xmlns:CREDENTIAL-
TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/CredentialTypes.xsd" xmlns:USER- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/UserTypes.xsd" xmlns:BACKEND-
TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/BackEndTypes.xsd" xmlns:COMPONENT- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/ComponentTypes.xsd" xmlns:CONFIGURATION- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/ConfigurationTypes.xsd" xmlns:DIGIPASS- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/DigipassTypes.xsd" xmlns:DOMAIN- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/DomainTypes.xsd" xmlns:ORGUNIT- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/OrgunitTypes.xsd" xmlns:USER-ATTRIBUTE- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/UserAttributeTypes.xsd" xmlns:DIGIPASSAPPL- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/DigipassApplTypes.xsd" xmlns:POLICY- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/PolicyTypes.xsd" xmlns:REPLICATION- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/ReplicationTypes.xsd" xmlns:REPORTFORMAT- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/ReportFormatTypes.xsd" xmlns:REPORTFIELD- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/ReportFieldTypes.xsd" xmlns:REPORT- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/ReportTypes.xsd" xmlns:DPXFILE- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/DPXFileTypes.xsd" xmlns:USERFILE- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/UserFileTypes.xsd" xmlns:ADMINSESSION- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/AdminSessionTypes.xsd" xmlns:OFFLINEDATA- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/OfflineDataTypes.xsd" xmlns:RADIUSDICT- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/RadiusDictTypes.xsd" xmlns:BACKENDSERVERGROUP-
TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/BackEndServerGroupTypes.xsd" xmlns:TASK- TYPES="http://www.vasco.com/IdentikeyServer/Identik
eyTypes/TaskTypes.xsd" xmlns:KEY- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/KeyTypes.xsd" xmlns:REPORTFILE- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/ReportFileTypes.xsd" xmlns:TIMEZONELIST- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/TimeZoneListTypes.xsd" xmlns:BASIC- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/BasicTypes.xsd" xmlns:EMVCAP- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/EmvCapTypes.xsd" xmlns:PROVISIONING- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/ProvisioningTypes.xsd" xmlns:SERVER- CONFIGURATION-
TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/ServerConfigurationTypes.xsd" xmlns:SIGNATURE- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/SignatureTypes.xsd" xmlns:ADMIN- SCENARIO="http://www.vasco.com/IdentikeyServer/Scen arios/Administration" xmlns:ADMIN- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/Administration" xmlns:AUTH- SCENARIO="http://www.vasco.com/IdentikeyServer/Scen arios/Authentication" xmlns:AUTH- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/Authentication" xmlns:EMVCAPAUTH- SCENARIO="http://www.vasco.com/IdentikeyServer/Scen arios/EmvCapAuthentication" xmlns:EMVCAP-AUTH- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/EmvCapAuthentication" xmlns:PROV- SCENARIO="http://www.vasco.com/IdentikeyServer/Scen arios/Provisioning" xmlns:PROV- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/Provisioning" xmlns:SERVERCFG- SCENARIO="http://www.vasco.com/IdentikeyServer/Scen arios/ServerConfiguration" xmlns:SERVERCFG- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/ServerConfiguration" xmlns:SIGN- SCENARIO="http://www.vasco.com/IdentikeyServer/Scen
arios/Signature" xmlns:SIGN- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/Signature"><SOAP-ENV:Header></SOAP- ENV:Header><SOAP-ENV:Body><AUTH-
TYPES:authUserResponse><authUserResults xsi:type="AUTH-TYPES:AuthUserResults"><results xsi:type="CREDENTIAL- TYPES:CredentialResults"><resultCodes xsi:type="BASIC- TYPES:ResultCodes"><returnCodeEnum>RET_SUCCESS</ret urnCodeEnum><statusCodeEnum>STAT_SUCCESS</statusCod eEnum><returnCode>0</returnCode><statusCode>0</stat usCode></resultCodes><resultAttribute xsi:type="CREDENTIAL- TYPES:CredentialAttributeSet"><attributes xsi:type="CREDENTIAL- TYPES:CredentialAttribute"><value xsi:type="xsd:string">user2</value><attributeID>CRE DFLD_USERID</attributeID></attributes><attributes xsi:type="CREDENTIAL- TYPES:CredentialAttribute"><value xsi:type="xsd:string">nsi- test.com</value><attributeID>CREDFLD_DOMAIN</attrib uteID></attributes><attributes xsi:type="CREDENTIAL- TYPES:CredentialAttribute"><attributeOptions xsi:type="BASIC- TYPES:AttributeOptions"><masked>true</masked></attr ibuteOptions><value xsi:type="xsd:string">1Citrix</value><attributeID>C REDFLD_STATIC_PASSWORD</attributeID></attributes><a ttributes xsi:type="CREDENTIAL- TYPES:CredentialAttribute"><value xsi:type="xsd:string">nsi- test.com</value><attributeID>CREDFLD_ORGANIZATIONAL
_UNIT</attributeID></attributes></resultAttribute>< errorStack xsi:type="BASIC- TYPES:ErrorStack"></errorStack></results><userAttri buteList xsi:type="USER-ATTRIBUTE- TYPES:UserAttributeAttributeList"><attributeList
xsi:type="USER-ATTRIBUTE-
TYPES:UserAttributeAttributeSet"><attributes xsi:type="USER-ATTRIBUTE-
TYPES:UserAttributeAttribute"><value xsi:type="xsd:string">nsi- test.com</value><attributeID>UATTFLD_DOMAIN</attrib uteID></attributes><attributes xsi:type="USER- ATTRIBUTE-TYPES:UserAttributeAttribute"><value xsi:type="xsd:string">user2</value><attributeID>UAT TFLD_USERID</attributeID></attributes><attributes xsi:type="USER-ATTRIBUTE-
TYPES:UserAttributeAttribute"><value xsi:type="xsd:string">User- Data</value><attributeID>UATTFLD_ATTR_GROUP</attrib uteID></attributes><attributes xsi:type="USER- ATTRIBUTE-TYPES:UserAttributeAttribute"><value xsi:type="xsd:int">1</value><attributeID>UATTFLD_SE Q_NO</attributeID></attributes><attributes xsi:type="USER-ATTRIBUTE-
TYPES:UserAttributeAttribute"><value xsi:type="xsd:string">Reply- Message</value><attributeID>UATTFLD_NAME</attribute ID></attributes><attributes xsi:type="USER- ATTRIBUTE-TYPES:UserAttributeAttribute"><value xsi:type="xsd:string">Reply</value><attributeID>UAT TFLD_USAGE_QUALIFIER</attributeID></attributes><att ributes xsi:type="USER-ATTRIBUTE- TYPES:UserAttributeAttribute"><attributeOptions xsi:type="BASIC- TYPES:AttributeOptions"><masked>true</masked></attr ibuteOptions><value xsi:type="xsd:string">Success</value><attributeID>U ATTFLD_VALUE</attributeID></attributes><attributes xsi:type="USER-ATTRIBUTE-
TYPES:UserAttributeAttribute"><value xsi:type="xsd:dateTime">2014-11- 16T21:17:52Z</value><attributeID>UATTFLD_CREATE_TIM E</attributeID></attributes><attributes xsi:type="USER-ATTRIBUTE-
TYPES:UserAttributeAttribute"><value
xsi:type="xsd:dateTime">2014-11- 16T21:17:52Z</value><attributeID>UATTFLD_MODIFY_TIM E</attributeID></attributes><attributes xsi:type="USER-ATTRIBUTE-
TYPES:UserAttributeAttribute"><value xsi:type="xsd:unsignedInt">1</value><attributeID>UA TTFLD_OPTIONS</attributeID></attributes></attribute List></userAttributeList></authUserResults></AUTH- TYPES:authUserResponse></SOAP-ENV:Body></SOAP- ENV:Envelope>


Failed Authentication SOAP Response:

In case of authentication failure, Vasco server returns RET_DENIED as status in SOAP response.

 

Issue/Introduction

This article explains how to configure NetScaler for web authentication with Vasco and use the extracted attributes for SSO to StoreFront server.