This article explains how to configure NetScaler for web authentication with Vasco and use the extracted attributes for SSO to StoreFront server.
NSIP: 10.217.22.220
MIP: 10.217.22.221
VIP Vserver: 10.217.22.226
StoreFront server: 10.217.22.236 version: 2.6
XenApp server: 10.217.22.236 version: 6.5
STA service IP: Port: 10.217.22.236:80
Vasco IDENTIKEY server: 10.217.22.197 Port: 8888 Protocol: SSL
User Login: user2/Citrix123 (This is the user account created in Vasco Server, same user credentials exist in Active Directory).
Open Citrix StoreFront console, select Create a Store option. Provide a name for the store. In my case, I gave ‘nsslvpn’ as store name.
Select Delivery Controller; choose XenAPP/XenDesktop based on the deployment and specify IP address, port of the server. In my case, I chose XenAPP 6.5 or earlier and specified 10.217.22.236:80 (HTTP).
In Remote Access section choose ‘No VPN Tunnel’ for ICA Proxy mode, otherwise choose ‘Full VPN Tunnel’.
Select the NetScaler Gateway appliance if it is already configured. Otherwise add it. For example, use below screen shot as a reference.
Specify STA server IP and complete NetScaler appliance settings.
After completing Remote Access configuration, choose that NetScaler Gateway and complete StoreFront configuration.
Expression to extract Username from /cgi/login request:
add policy expression user_name "http.REQ.BODY(1000).SET_TEXT_MODE(IGNORECASE). AFTER_STR(\"login=\").BEFORE_STR(\"&\")"
Expression to extract Password from /cgi/login request:
add policy expression user_pwd "http.REQ.BODY(1000).SET_TEXT_MODE(IGNORECASE). AFTER_STR(\"passwd=\")"
Create WebAuth Action with Vasco server IP, Port and scheme settings.
Text highlighted in Yellow explains how the username and password expressions in Step 1 and Step 2 are used
Text highlighted in Grey explains on what basis NetScaler treats it as a successful authentication.
Text highlighted in Red explains how the username and password are extracted from the Vasco server response.
add authentication webAuthAction Vasco_1 - serverIP 10.217.22.197 -serverPort 8888 - fullReqExpr q{"POST / HTTP/" + http.req.version.major + "." + http.req.version.major + "\r\nAccept:*/*\r\nHost: Vasco.nsi- test.com\r\nReferer: https://vasco.nsi- test.com:8888\r\nAccept-Language: en-US" + "\r\nContent-Length: 2000\r\n\r\n" + "<soapenv:Envelope\rxmlns:soapenv=\"http://sche mas.xmlsoap.org/soap/envelope/\"\rxmlns:xsd=\"h ttp://www.w3.org/2001/XMLSchema\"\rxmlns:xsi=\" http://www.w3.org/2001/XMLSchema- instance\"\rxmlns:aut=\"http://www.vasco.com/Id entikeyServer/IdentikeyTypes/Authentication\">\ r" + "\n<soapenv:Header/>\r\n<soapenv:Body>\r\n<aut: authUser>\r\n<credentialAttributeSet>\r\n<attri butes>\r\n<value xsi:type=\"xsd:string\">"+ user_name + "</value>\r\n<attributeID>CREDFLD_USERID</attri buteID>\r\n</attributes>\r\n<attributes>\r\n<va lue xsi:type=\"xsd:string\">nsi- test.com</value>\r\n<attributeID>CREDFLD_DOMAIN </attributeID>\r\n</attributes>\r\n<attributes> \r\n<value xsi:type=\"xsd:string\">" + user_pwd + "</value>\r\n<attributeID>CREDFLD_PASSWORD</att ributeID>\r\n</attributes>\r\n<attributes>\r\n< value xsi:type=\"xsd:string\">NetScaler_221</value>\r \n<attributeID>CREDFLD_COMPONENT_TYPE</attribut eID>\r\n</attributes>\r\n<attributes>\r\n<value xsi:type=\"xsd:unsignedInt\">" + 0 + "</value>\r\n<attributeID>CREDFLD_PASSWORD_FORM AT</attributeID>\r\n</attributes>\r\n</credenti alAttributeSet>\r\n</aut:authUser>\r\n</soapenv :Body>\r\n</soapenv:Envelope>"} -scheme https - successRule "http.res.status.eq(200) && HTTP.RES.BODY(10000).REGEX_MATCH(re/\\STAT_SUCC ESS/)" -Attribute1 "HTTP.RES.BODY(10000).XPATH(xp%//attributes[1]/ value%)" -Attribute2 "HTTP.RES.BODY(10000).XPATH(xp%//attributes[2]/ value%)" -Attribute3 "HTTP.RES.BODY(10000).XPATH(xp%//attributes[3]/ value%)"
add authentication webAuthPolicy Vasco_1 -rule ns_true -action Vasco_1
At the time of Response evaluation, NetScaler looks for STATUS CODE returned in the response, if the STATUS Code is STAT_SUCCESS then it treats as successful authentication otherwise failed authentication. If the status code matches then NetScaler will extract the configured attributes.
Create a VPN vserver, bind WebAuth policy created above (Step 3), bind STA service.
add vpn vserver vpn2 SSL 10.217.22.226 443
bind ssl vserver vpn2 dmn12
bind ssl vserver vpn2 -certkeyName nsi-ca -CA - ocspCheck Optional
bind ssl vserver vpn2 -certkeyName dmn12CA -CA -ocspCheck Optional
bind vpn vserver vpn2 -policy Vasco_1 -priority 10
bind vpn vserver vpn2 -staServer "http://xa.dmn12.nsi-test.com"
Create a VPN session policy, specify – StoreFronturl, -wihome options in Sessionaction.
add vpn sessionAction wisso -SSO ON - ssoCredential PRIMARY -icaProxy ON -wihome "https://xa.dmn12.nsi- test.com/Citrix/nsslvpnweb" -ntDomain DMN12.NSI-TEST.COM -StoreFronturl "https://xa.dmn12.nsi- test.com/Citrix/nsslvpnWeb" -kcdAccount NONE
add vpn sessionPolicy wisso ns_true wisso
bind vpn vserver vpn2 -policy wisso
The reason to use http.req.user.attribute(1) and http.req.user.attribute(3) is because user name and password extracted from Vasco are there in those attributes.
In the following config, text highlighted in RED specifies the rule when the traffic action to evaluate.
add vpn trafficAction vpn-sso http -SSO ON -
userExpression "http.req.user.attribute(1)" -
passwdExpression "http.req.user.attribute(3)"
add vpn trafficPolicy vpn-sso "REQ.HTTP.URL
CONTAINS Citrix/nsslvpnWeb" vpn-sso
bind vpn vserver vpn2 -policy vpn-sso
POST / HTTP/1.1
Accept:*/*
Host: Vasco.nsi-test.com
Referer: https://vasco.nsi-test.com:8888
Accept-Language: en-US
Content-Length: 1030
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/enve lope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema- instance" xmlns:aut="http://www.vasco.com/IdentikeyServer/Ide ntikeyTypes/Authentication">
<soapenv:Header/>
<soapenv:Body>
<aut:authUser>
<credentialAttributeSet>
<attributes>
<value xsi:type="xsd:string">user2</value> <attributeID>CREDFLD_USERID</attributeID> </attributes>
<attributes>
<value xsi:type="xsd:string">nsi-test.com</value> <attributeID>CREDFLD_DOMAIN</attributeID> </attributes>
<attributes>
<value xsi:type="xsd:string">1Citrix</value> <attributeID>CREDFLD_PASSWORD</attributeID> </attributes>
<attributes>
<value xsi:type="xsd:string">NetScaler_221</value> <attributeID>CREDFLD_COMPONENT_TYPE</attributeID> </attributes>
<attributes>
<value xsi:type="xsd:unsignedInt">0</value> <attributeID>CREDFLD_PASSWORD_FORMAT</attributeID> </attributes>
</credentialAttributeSet>
</aut:authUser>
</soapenv:Body>
</soapenv:Envelope>HTTP/1.1 200 OK
Server: gSOAP/2.8
Content-Type: text/xml; charset=utf-8
Content-Length: 7630
Connection: keep-alive
<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope xmlns:SOAP- ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:SOAP- ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema- instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xop="http://www.w3.org/2004/08/xop/include" xmlns:CREDENTIAL- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/CredentialTypes.xsd" xmlns:USER- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/UserTypes.xsd" xmlns:BACKEND- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/BackEndTypes.xsd" xmlns:COMPONENT- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/ComponentTypes.xsd" xmlns:CONFIGURATION- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/ConfigurationTypes.xsd" xmlns:DIGIPASS- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/DigipassTypes.xsd" xmlns:DOMAIN- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/DomainTypes.xsd" xmlns:ORGUNIT- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/OrgunitTypes.xsd" xmlns:USER-ATTRIBUTE- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/UserAttributeTypes.xsd" xmlns:DIGIPASSAPPL- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/DigipassApplTypes.xsd" xmlns:POLICY- TYPES="http://www.vasco.com/IdentikeyServer/Identik
eyTypes/PolicyTypes.xsd" xmlns:REPLICATION- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/ReplicationTypes.xsd" xmlns:REPORTFORMAT- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/ReportFormatTypes.xsd" xmlns:REPORTFIELD- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/ReportFieldTypes.xsd" xmlns:REPORT- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/ReportTypes.xsd" xmlns:DPXFILE- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/DPXFileTypes.xsd" xmlns:USERFILE- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/UserFileTypes.xsd" xmlns:ADMINSESSION- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/AdminSessionTypes.xsd" xmlns:OFFLINEDATA- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/OfflineDataTypes.xsd" xmlns:RADIUSDICT- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/RadiusDictTypes.xsd" xmlns:BACKENDSERVERGROUP- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/BackEndServerGroupTypes.xsd" xmlns:TASK- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/TaskTypes.xsd" xmlns:KEY- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/KeyTypes.xsd" xmlns:REPORTFILE- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/ReportFileTypes.xsd" xmlns:TIMEZONELIST- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/TimeZoneListTypes.xsd" xmlns:BASIC- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/BasicTypes.xsd" xmlns:EMVCAP- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/EmvCapTypes.xsd" xmlns:PROVISIONING- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/ProvisioningTypes.xsd" xmlns:SERVER- CONFIGURATION- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/ServerConfigurationTypes.xsd" xmlns:SIGNATURE-
TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/SignatureTypes.xsd" xmlns:ADMIN- SCENARIO="http://www.vasco.com/IdentikeyServer/Scen arios/Administration" xmlns:ADMIN- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/Administration" xmlns:AUTH- SCENARIO="http://www.vasco.com/IdentikeyServer/Scen arios/Authentication" xmlns:AUTH- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/Authentication" xmlns:EMVCAPAUTH- SCENARIO="http://www.vasco.com/IdentikeyServer/Scen arios/EmvCapAuthentication" xmlns:EMVCAP-AUTH- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/EmvCapAuthentication" xmlns:PROV- SCENARIO="http://www.vasco.com/IdentikeyServer/Scen arios/Provisioning" xmlns:PROV- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/Provisioning" xmlns:SERVERCFG- SCENARIO="http://www.vasco.com/IdentikeyServer/Scen arios/ServerConfiguration" xmlns:SERVERCFG- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/ServerConfiguration" xmlns:SIGN- SCENARIO="http://www.vasco.com/IdentikeyServer/Scen arios/Signature" xmlns:SIGN- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/Signature"><SOAP-ENV:Header></SOAP- ENV:Header><SOAP-ENV:Body><AUTH- TYPES:authUserResponse><authUserResults xsi:type="AUTH-TYPES:AuthUserResults"><results xsi:type="CREDENTIAL- TYPES:CredentialResults"><resultCodes xsi:type="BASIC- TYPES:ResultCodes"><returnCodeEnum>RET_SUCCESS</ret urnCodeEnum><statusCodeEnum>STAT_SUCCESS</statusCod eEnum><returnCode>0</returnCode><statusCode>0</stat usCode></resultCodes><resultAttribute xsi:type="CREDENTIAL- TYPES:CredentialAttributeSet"><attributes xsi:type="CREDENTIAL- TYPES:CredentialAttribute"><value
xsi:type="xsd:string">user2</value><attributeID>CRE DFLD_USERID</attributeID></attributes><attributes xsi:type="CREDENTIAL- TYPES:CredentialAttribute"><value xsi:type="xsd:string">nsi- test.com</value><attributeID>CREDFLD_DOMAIN</attrib uteID></attributes><attributes xsi:type="CREDENTIAL- TYPES:CredentialAttribute"><attributeOptions xsi:type="BASIC- TYPES:AttributeOptions"><masked>true</masked></attr ibuteOptions><value xsi:type="xsd:string">1Citrix</value><attributeID>C REDFLD_STATIC_PASSWORD</attributeID></attributes><a ttributes xsi:type="CREDENTIAL- TYPES:CredentialAttribute"><value xsi:type="xsd:string">nsi- test.com</value><attributeID>CREDFLD_ORGANIZATIONAL _UNIT</attributeID></attributes></resultAttribute>< errorStack xsi:type="BASIC- TYPES:ErrorStack"></errorStack></results><userAttri buteList xsi:type="USER-ATTRIBUTE- TYPES:UserAttributeAttributeList"><attributeList xsi:type="USER-ATTRIBUTE- TYPES:UserAttributeAttributeSet"><attributes xsi:type="USER-ATTRIBUTE- TYPES:UserAttributeAttribute"><value xsi:type="xsd:string">nsi- test.com</value><attributeID>UATTFLD_DOMAIN</attrib uteID></attributes><attributes xsi:type="USER- ATTRIBUTE-TYPES:UserAttributeAttribute"><value xsi:type="xsd:string">user2</value><attributeID>UAT TFLD_USERID</attributeID></attributes><attributes xsi:type="USER-ATTRIBUTE- TYPES:UserAttributeAttribute"><value xsi:type="xsd:string">User- Data</value><attributeID>UATTFLD_ATTR_GROUP</attrib uteID></attributes><attributes xsi:type="USER- ATTRIBUTE-TYPES:UserAttributeAttribute"><value xsi:type="xsd:int">1</value><attributeID>UATTFLD_SE
Q_NO</attributeID></attributes><attributes xsi:type="USER-ATTRIBUTE- TYPES:UserAttributeAttribute"><value xsi:type="xsd:string">Reply- Message</value><attributeID>UATTFLD_NAME</attribute ID></attributes><attributes xsi:type="USER- ATTRIBUTE-TYPES:UserAttributeAttribute"><value xsi:type="xsd:string">Reply</value><attributeID>UAT TFLD_USAGE_QUALIFIER</attributeID></attributes><att ributes xsi:type="USER-ATTRIBUTE- TYPES:UserAttributeAttribute"><attributeOptions xsi:type="BASIC- TYPES:AttributeOptions"><masked>true</masked></attr ibuteOptions><value xsi:type="xsd:string">Success</value><attributeID>U ATTFLD_VALUE</attributeID></attributes><attributes xsi:type="USER-ATTRIBUTE- TYPES:UserAttributeAttribute"><value xsi:type="xsd:dateTime">2014-11- 16T21:17:52Z</value><attributeID>UATTFLD_CREATE_TIM E</attributeID></attributes><attributes xsi:type="USER-ATTRIBUTE- TYPES:UserAttributeAttribute"><value xsi:type="xsd:dateTime">2014-11- 16T21:17:52Z</value><attributeID>UATTFLD_MODIFY_TIM E</attributeID></attributes><attributes xsi:type="USER-ATTRIBUTE- TYPES:UserAttributeAttribute"><value xsi:type="xsd:unsignedInt">1</value><attributeID>UA TTFLD_OPTIONS</attributeID></attributes></attribute List></userAttributeList></authUserResults></AUTH- TYPES:authUserResponse></SOAP-ENV:Body></SOAP- ENV:Envelope>
1. To verify if the values are extracted from web authentication run, ‘tail –f /var/log/ns.log’
Vasco Configuration:
User Settings:
Policy Configuration:
Client Configuration: (Configuring NetScaler: SNIP/MIP as the client)
Backend Configuration:
Organization Configuration:
Servers List:
IAS Configuration Screenshots:
SOAP request:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/enve lope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema- instance" xmlns:aut="http://www.vasco.com/IdentikeyServer/Ide ntikeyTypes/Authentication"> <soapenv:Header/> <soapenv:Body> <aut:authUser> <credentialAttributeSet> <attributes> <value xsi:type="xsd:string">user2</value> <attributeID>CREDFLD_USERID</attributeID> </attributes> <attributes> <value xsi:type="xsd:string">nsi-test.com</value> <attributeID>CREDFLD_DOMAIN</attributeID> </attributes> <attributes> <value xsi:type="xsd:string">1Citrix</value> <attributeID>CREDFLD_PASSWORD</attributeID> </attributes> <attributes> <value xsi:type="xsd:string">Perl_Client</value> <attributeID>CREDFLD_COMPONENT_TYPE</attributeID> </attributes> <attributes> <value xsi:type="xsd:string">nsi-test.com</value> <attributeID>CREDFLD_ORGANIZATIONAL_UNIT</attrib uteID> </attributes> <attributes> <value xsi:type="xsd:unsignedInt">0</value> <attributeID>CREDFLD_PASSWORD_FORMAT</attributeID> </attributes> </credentialAttributeSet> </aut:authUser> </soapenv:Body> </soapenv:Envelope>
Successful Authentication SOAP Response
HTTP/1.1 200 OK Server: gSOAP/2.8 Content-Type: text/xml; charset=utf-8 Content-Length: 7630 Connection: keep-alive <?xml version="1.0" encoding="UTF-8"?> <SOAP-ENV:Envelope xmlns:SOAP- ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:SOAP- ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema- instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xop="http://www.w3.org/2004/08/xop/include" xmlns:CREDENTIAL- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/CredentialTypes.xsd" xmlns:USER- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/UserTypes.xsd" xmlns:BACKEND- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/BackEndTypes.xsd" xmlns:COMPONENT- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/ComponentTypes.xsd" xmlns:CONFIGURATION- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/ConfigurationTypes.xsd" xmlns:DIGIPASS- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/DigipassTypes.xsd" xmlns:DOMAIN- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/DomainTypes.xsd" xmlns:ORGUNIT- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/OrgunitTypes.xsd" xmlns:USER-ATTRIBUTE- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/UserAttributeTypes.xsd" xmlns:DIGIPASSAPPL- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/DigipassApplTypes.xsd" xmlns:POLICY- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/PolicyTypes.xsd" xmlns:REPLICATION- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/ReplicationTypes.xsd" xmlns:REPORTFORMAT- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/ReportFormatTypes.xsd" xmlns:REPORTFIELD- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/ReportFieldTypes.xsd" xmlns:REPORT- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/ReportTypes.xsd" xmlns:DPXFILE- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/DPXFileTypes.xsd" xmlns:USERFILE- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/UserFileTypes.xsd" xmlns:ADMINSESSION- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/AdminSessionTypes.xsd" xmlns:OFFLINEDATA- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/OfflineDataTypes.xsd" xmlns:RADIUSDICT- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/RadiusDictTypes.xsd" xmlns:BACKENDSERVERGROUP- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/BackEndServerGroupTypes.xsd" xmlns:TASK- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/TaskTypes.xsd" xmlns:KEY- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/KeyTypes.xsd" xmlns:REPORTFILE- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/ReportFileTypes.xsd" xmlns:TIMEZONELIST- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/TimeZoneListTypes.xsd" xmlns:BASIC- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/BasicTypes.xsd" xmlns:EMVCAP- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/EmvCapTypes.xsd" xmlns:PROVISIONING- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/ProvisioningTypes.xsd" xmlns:SERVER- CONFIGURATION- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/ServerConfigurationTypes.xsd" xmlns:SIGNATURE- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/SignatureTypes.xsd" xmlns:ADMIN- SCENARIO="http://www.vasco.com/IdentikeyServer/Scen arios/Administration" xmlns:ADMIN- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/Administration" xmlns:AUTH- SCENARIO="http://www.vasco.com/IdentikeyServer/Scen arios/Authentication" xmlns:AUTH- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/Authentication" xmlns:EMVCAPAUTH- SCENARIO="http://www.vasco.com/IdentikeyServer/Scen arios/EmvCapAuthentication" xmlns:EMVCAP-AUTH- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/EmvCapAuthentication" xmlns:PROV- SCENARIO="http://www.vasco.com/IdentikeyServer/Scen arios/Provisioning" xmlns:PROV- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/Provisioning" xmlns:SERVERCFG- SCENARIO="http://www.vasco.com/IdentikeyServer/Scen arios/ServerConfiguration" xmlns:SERVERCFG- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/ServerConfiguration" xmlns:SIGN- SCENARIO="http://www.vasco.com/IdentikeyServer/Scen arios/Signature" xmlns:SIGN- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/Signature"><SOAP-ENV:Header></SOAP- ENV:Header><SOAP-ENV:Body><AUTH- TYPES:authUserResponse><authUserResults xsi:type="AUTH-TYPES:AuthUserResults"><results xsi:type="CREDENTIAL- TYPES:CredentialResults"><resultCodes xsi:type="BASIC- TYPES:ResultCodes"><returnCodeEnum>RET_SUCCESS</ret urnCodeEnum><statusCodeEnum>STAT_SUCCESS</statusCod eEnum><returnCode>0</returnCode><statusCode>0</stat usCode></resultCodes><resultAttribute xsi:type="CREDENTIAL- TYPES:CredentialAttributeSet"><attributes xsi:type="CREDENTIAL- TYPES:CredentialAttribute"><value xsi:type="xsd:string">user2</value><attributeID>CRE DFLD_USERID</attributeID></attributes><attributes xsi:type="CREDENTIAL- TYPES:CredentialAttribute"><value xsi:type="xsd:string">nsi- test.com</value><attributeID>CREDFLD_DOMAIN</attrib uteID></attributes><attributes xsi:type="CREDENTIAL- TYPES:CredentialAttribute"><attributeOptions xsi:type="BASIC- TYPES:AttributeOptions"><masked>true</masked></attr ibuteOptions><value xsi:type="xsd:string">1Citrix</value><attributeID>C REDFLD_STATIC_PASSWORD</attributeID></attributes><a ttributes xsi:type="CREDENTIAL- TYPES:CredentialAttribute"><value xsi:type="xsd:string">nsi- test.com</value><attributeID>CREDFLD_ORGANIZATIONAL _UNIT</attributeID></attributes></resultAttribute>< errorStack xsi:type="BASIC- TYPES:ErrorStack"></errorStack></results><userAttri buteList xsi:type="USER-ATTRIBUTE- TYPES:UserAttributeAttributeList"><attributeList xsi:type="USER-ATTRIBUTE- TYPES:UserAttributeAttributeSet"><attributes xsi:type="USER-ATTRIBUTE- TYPES:UserAttributeAttribute"><value xsi:type="xsd:string">nsi- test.com</value><attributeID>UATTFLD_DOMAIN</attrib uteID></attributes><attributes xsi:type="USER- ATTRIBUTE-TYPES:UserAttributeAttribute"><value xsi:type="xsd:string">user2</value><attributeID>UAT TFLD_USERID</attributeID></attributes><attributes xsi:type="USER-ATTRIBUTE- TYPES:UserAttributeAttribute"><value xsi:type="xsd:string">User- Data</value><attributeID>UATTFLD_ATTR_GROUP</attrib uteID></attributes><attributes xsi:type="USER- ATTRIBUTE-TYPES:UserAttributeAttribute"><value xsi:type="xsd:int">1</value><attributeID>UATTFLD_SE Q_NO</attributeID></attributes><attributes xsi:type="USER-ATTRIBUTE- TYPES:UserAttributeAttribute"><value xsi:type="xsd:string">Reply- Message</value><attributeID>UATTFLD_NAME</attribute ID></attributes><attributes xsi:type="USER- ATTRIBUTE-TYPES:UserAttributeAttribute"><value xsi:type="xsd:string">Reply</value><attributeID>UAT TFLD_USAGE_QUALIFIER</attributeID></attributes><att ributes xsi:type="USER-ATTRIBUTE- TYPES:UserAttributeAttribute"><attributeOptions xsi:type="BASIC- TYPES:AttributeOptions"><masked>true</masked></attr ibuteOptions><value xsi:type="xsd:string">Success</value><attributeID>U ATTFLD_VALUE</attributeID></attributes><attributes xsi:type="USER-ATTRIBUTE- TYPES:UserAttributeAttribute"><value xsi:type="xsd:dateTime">2014-11- 16T21:17:52Z</value><attributeID>UATTFLD_CREATE_TIM E</attributeID></attributes><attributes xsi:type="USER-ATTRIBUTE- TYPES:UserAttributeAttribute"><value xsi:type="xsd:dateTime">2014-11- 16T21:17:52Z</value><attributeID>UATTFLD_MODIFY_TIM E</attributeID></attributes><attributes xsi:type="USER-ATTRIBUTE- TYPES:UserAttributeAttribute"><value xsi:type="xsd:unsignedInt">1</value><attributeID>UA TTFLD_OPTIONS</attributeID></attributes></attribute List></userAttributeList></authUserResults></AUTH- TYPES:authUserResponse></SOAP-ENV:Body></SOAP- ENV:Envelope>
Failed Authentication SOAP Response:
In case of authentication failure, Vasco server returns RET_DENIED as status in SOAP response.