This article describes the following scenario:

1. Administrator configures SAML Authentication in first factor.

2. The next factor is pass-through and is configured for group extraction with authentication disabled.  

3. Based on the groups that are extracted we can decide the next factor to be either LDAP or Certificate Authentication.

These article describes these steps in detail. The first section briefly introduces the entities that are encountered in this article, and in general for nFactor authentication. The next section pictographically demonstrates the flow. The following sections have example LoginSchema that can be used to realize the logon form, and the relevant configuration.

Entities used in nFactor

LoginSchema

Login Schema is an XML construct that is aimed at providing sufficient information to the UI tier so that it can generate user interface based on the information that is sent in this XML blob. Put another way, LoginSchema is a logical representation of logon form in XML medium.

It can be added as shown in the following example:

add authentication loginSchema <name> -authenticationSchema <XML-Blob> -userExpression <Expression> -passwordExpression <Expression> 

Where: authenticationSchema is a well-structured XML that defines the way login form is rendered. UserExpression is used to extract username from login attempt. Likewise passwordExpression is used to extract password.

Authentication Policylabel

Auth Policy label is a collection of authentication policies for a particular factor.  It is recommended that these are pseudo-homogenous policies, which means, the credentials received from user apply to all the policies in the cascade. However, there are exceptions to this when a fallback option is configured or feedback mechanism is intended.

Authentication policy labels constitute secondary/user-defined factors. With nFactor, there is no single secondary cascade. There could be N secondary factors based on configuration. There could be as many policy labels as desired and the number of factors for a given authentication is defined by the longest sequence of policylabels beginning with the vserver cascade.

When we bind an authentication policy to authentication vserver, we specify nextFactor, which represents a policylabel or factor that would be taken if the policy succeeds. Likewise, when policies are bound to policylabels, nextFactor specifies the next policylabel to continue if the policy succeeds.

It can be added as shown in the following example:

add authentication policylabel <name> -loginSchema <loginSchemaName>

Where: loginSchemaName will be the login schema that we want to associate with this authentication factor.

We can bind authentication policies to this label.

Bind authentication policylabel <name> -policy LDAP –priority 10 –nextfactor <nextFactorLabelName>

Use-case description:

1. After accessing the TM vserver we will be redirected to external SAML IDP for login (Shibboleth in this case as shown in the example). After entering login credentials, if login is successful, SAML IDP will send the SAML Response. 

   

2. Once the SAML response is successfully verified, we move to the 2nd factor for group extraction. 2nd factor is configured as a pass-through factor. Pass-through means that there will be no login page for this factor. For group extraction, we will use the username from the previous factor unless username expression is explicitly configured in the login schema for this factor.

3. Once groups are extracted, we move to another pass-through factor with NO_AUTHN policies to decide the next factor. A NO_AUTHN policy means that in case the rule configured for this policy evaluates to true we will not perform any authentication and simply jump to the next factor that is configured. We have configured policies, such that, based on the groups that are extracted we can jump to either LDAP Auth factor or Cert Auth factor.

4. For example, say after the SAML Authentication is successful we have extracted a group Grp1. Now, one of the NO_AUTHN policy rule is configured to check if the user is a member of this group Grp1. If the policy evaluates to true, we can configure jump to the next factor having LDAP Authentication. Similarly, policy can be configured for having next factor as Cert.

5. When LDAP factor is selected based on group extraction, we see the following Login Schema:

   

   The username value is prefilled using the expression ${http.req.user.name} that will extract the username from session. Other fields such as labels for username and password can also be customized.
   Here is the example used for this specific representation of logon form:

   	<?xml version="1.0" encoding="UTF-8"?>
   	<AuthenticateResponse xmlns="http://citrix.com/authentication/response/1">
   	<Status>success</Status>
   	<Result>more-info</Result>
   	<StateContext />
   	<AuthenticationRequirements>
   	<PostBack>/nf/auth/doAuthentication.do</PostBack>
   	<CancelPostBack>/Citrix/Authentication/ExplicitForms/CancelAuthenticate</CancelPostBack>
   	<CancelButtonText>Cancel</CancelButtonText>
   	<Requirements>
   	<Requirement><Credential><ID>login</ID><SaveID>ExplicitForms-Username</SaveID><Type>username</Type></Credential><Label><Text>User name</Text><Type>plain</Type></Label><Input><Ass
   	istiveText>Please supply either domain\username or user@fully.qualified.domain</AssistiveText><Text><Secret>false</Secret><ReadOnly>false</ReadOnly><InitialValue>${HTTP.REQ.USER.NAME}</InitialValue><Constraint>.+</Constraint></Text></Input></Requirement>
   	<Requirement><Credential><ID>passwd</ID><SaveID>ExplicitForms-Password</SaveID><Type>password</Type></Credential><Label><Text>Password:</Text><Type>plain</Type></Label><Input><Te
   	xt><Secret>true</Secret><ReadOnly>false</ReadOnly><InitialValue></InitialValue><Constraint>.+</Constraint></Text></Input></Requirement>
   	<Requirement><Credential><Type>none</Type></Credential><Label><Text>Third Factor with LDAP Authentication </Text><Type>confirmation</Type></Label><Input /></Requirement>
   	</Requirements>
   	</AuthenticationRequirements>
   	</AuthenticateResponse>

   Some of the customizable portions of the logon form are highlighted here. Administrators can modify these values to suit their needs.

6. Incase Cert Factor is selected based on group extraction after SAML, we will get a prompt to select Certificate: 

   

Sequence Diagram for this Use-case When LDAP is Selected After Group Extraction

Configuration Details for This Use-case

1. TM and Auth vserver configuration:
   add lb vserver lb_ssl SSL 10.217.28.166 443 -persistenceType NONE -cltTimeout 180 -AuthenticationHost auth.nsi-test.com -Authentication ON -authnVsName avn
   add authentication vserver avn SSL 10.217.28.167 443 -AuthenticationDomain nsi-test.com

2. SAML policy bound to Auth vserver and next factor configuration:
   bind authentication vserver avn -policy samlnf -priority 10 -nextFactor group_extraction -gotoPriorityExpression NEXT

3. 2nd factor for group extraction:
   add authentication loginSchema login_passthrough -authenticationSchema noschema -userExpression http.req.user.name
   add authentication policylabel group_extraction -loginSchema login_passthrough
   bind authentication policylabel group_extraction -policyName <LDAP with auth disabled and group extraction enabled> -priority 10 -gotoPriorityExpression NEXT -nextFactor policy_decide_factor

4. Policy Deciding factor:
   add authentication Policy no_ldap -rule "http.req.user.is_member_of(\”Grp1\")" -action NO_AUTHN
   add authentication Policy no_cert -rule "http.req.user.is_member_of(\"Domain Admins\")" -action NO_AUTHN
   
   add authentication loginSchema passthrough -authenticationSchema no schema
   add authentication policylabel policy_decide_factor -loginSchema passthrough
   bind authentication policylabel policy_decide_factor -policyName no_ldap -priority 10 -gotoPriorityExpression NEXT -nextFactor ldapfactor
   bind authentication policylabel policy_decide_factor -policyName no_cert -priority 20 -gotoPriorityExpression NEXT -nextFactor certfactor

5. Ldap Factor configuration:
   add authentication loginSchema login_ldap -authenticationSchema login2.xml
   add authentication policylabel ldapfactor -loginSchema login_ldap
   bind authentication policylabel ldapfactor -policyName <LDAP Auth policy> -priority 10 -gotoPriorityExpression END

6. Cert Factor configuration: add authentication loginSchema login_cert -authenticationSchema noschema
   add authentication policylabel certfactor -loginSchema login_cert
   bind authentication policylabel certfactor -policyName <Certificate Auth Policy> -priority 10 -gotoPriorityExpression END

The preceding configuration describes adding a TM vserver for resource access, adding Authentication vserver for securing TM vserver, and relevant policies for this use-case. Portions highlighted in yellow are to replaced with appropriate authentication policy/action by the administrators. Portions in red describe the proposed rules to pick a particular authentication policy for next factor selection.

The above nFactor configuration can also be achieved using the nFactor Visualizer which is a new feature that is available starting ADC firmware 13.0, the above nFactor config from step 2 to 6 can be configured with Visualizer as below,

Complete flow:

 

1. Go To Security > AAA-Application Traffic > nFactor Visualizer > nFactor Flow and click on Add
2. Click on the + sign to add the nFactor Flow
   
   
3. Add Factor, this will be the name of the nFactor Flow

4. No Schema is needed for SAML Authentication. Click on Add Policy to create SAML policy for the first factor.
   

For more information on SAML as SP see, ADC as a SAMP SP

5. Click on the green + icon to create the second factor for pass-through and group extraction

6. Click on “Add Schema” though we are not going to add the schema here, we will be using the expression aaa.user.login_name to capture the username from the previous login attempt,

7. Click on “Add Policy” to add the pass-through authentication i.e Group Extraction

8. Click on the green + sign on the right of Group-Ext policy to create a decision block for group evaluation.

9. Click on “Add Policy” to check for what group the user belongs to, the action here will be no_auth by default.

10. Click on the blue + icon below the Group-1 policy, to add another policy to check if the user is part of the group that requires Cert based auth as second factor.

11. Click on the Green + icon adjacent to the Group-1 policy to add the LDAP factor Auth

12. Click on “Add Schema” to add the schema for LDAP authentication,

13. Click on “Add Policy” to add the LDAP authentication policy, if already added then select the same from drop down list if not then click on Add,

14. Click on the Green + icon adjacent to the Group-2 policy of the decision block, to add the Cert based auth,

15. Click on “Add Policy” to add the certificate authentication policy.

16. Select the nFactor Flow and click on “Bind to Authentication Server”

Important ns.log Messages Seen During This Case

Jul 30 20:11:20 <local0.debug> 127.0.0.2 07/30/2015:20:11:20 GMT  0-PPE-2 : default AAATM Message 365 0 :  "SAML: Parsed attribute: attribute1, value: 1.citrix"
Jul 30 20:11:20 <local0.debug> 127.0.0.2 07/30/2015:20:11:20 GMT  0-PPE-2 : default AAATM Message 366 0 :  "SAML: Parsed attribute: username, value: user1"
Jul 30 20:11:20 <local0.debug> 127.0.0.2 07/30/2015:20:11:20 GMT  0-PPE-2 : default AAATM Message 367 0 :  "SAML: Parsed attribute: logouturl, value: https://idp.wi.int/idp/profile/SAML2/POST/SLO"
Jul 30 20:11:20 <local0.debug> 127.0.0.2 07/30/2015:20:11:20 GMT  0-PPE-2 : default AAATM Message 368 0 :  "SAML: Assertion is signed, trying to verify"
Jul 30 20:11:20 <local0.debug> 127.0.0.2 07/30/2015:20:11:20 GMT  0-PPE-2 : default AAATM Message 369 0 :  "SAML verify digest: digest algorithm SHA1, input for digest: <saml2:Assertion …….saml2:Conditions NotBefore="2015-07-30T20:11:15.932Z" NotOn
Jul 30 20:11:20 <local0.debug> 127.0.0.2 07/30/2015:20:11:20 GMT  0-PPE-2 : default AAATM Message 370 0 :  "SAML signature validation: algorithm is RSA-SHA1 input buffer is: <ds:SignedInfo ……ds:SignedInfo>"
Jul 30 20:11:20 <local0.debug> 127.0.0.2 07/30/2015:20:11:20 GMT  0-PPE-2 : default AAATM Message 371 0 :  "SAML nFactor, successfully verified saml token; next factor is group_extraction for user user1"
Jul 30 20:11:20 <local0.debug> 127.0.0.2 07/30/2015:20:11:20 GMT  0-PPE-2 : default AAA Message 372 0 :  "nFactor: Next factor group_extraction is configured as passthough/implicit, loginschema login_passthrough"
Jul 30 20:11:20 <local0.debug> 127.0.0.2 07/30/2015:20:11:20 GMT  0-PPE-2 : default SSLVPN Message 373 0 :  "LOGINSCHEMA: username extracted is user1"
Jul 30 20:11:20 <local0.debug> 127.0.0.2 07/30/2015:20:11:20 GMT  0-PPE-2 : default SSLVPN Message 374 0 :  "aaad_authenticate_req: copying policylabel name group_extraction to aaa info, type 65 for auth "
Jul 30 20:11:20 <local0.debug> 127.0.0.2 07/30/2015:20:11:20 GMT  0-PPE-1 : default AAATM Message 996 0 :  "mp creating session on 1, pck 0, state 8"
Jul 30 20:11:20 <local0.debug> 127.0.0.2 07/30/2015:20:11:20 GMT  0-PPE-2 : default SSLVPN Message 375 0 :  "sslvpn_extract_attributes_from_resp: attributes copied so far are user11.citrix "
Jul 30 20:11:20 <local0.debug> 127.0.0.2 07/30/2015:20:11:20 GMT  0-PPE-2 : default SSLVPN Message 376 0 :  "sslvpn_extract_attributes_from_resp: total len copied 23, mask 0x5 "
Jul 30 20:11:20 <local0.debug> 127.0.0.2 07/30/2015:20:11:20 GMT  0-PPE-2 : default AAATM Message 377 0 :  "copying next factor policy_decide_factor in aaa info for user1 "
Jul 30 20:11:20 <local0.debug> 127.0.0.2 07/30/2015:20:11:20 GMT  0-PPE-2 : default AAA Message 378 0 :  "nFactor: Next factor policy_decide_factor is configured as passthough/implicit, loginschema passthrough"
Jul 30 20:11:20 <local0.debug> 127.0.0.2 07/30/2015:20:11:20 GMT  0-PPE-2 : default SSLVPN Message 379 0 :  "aaad_authenticate_req: copying policylabel name policy_decide_factor to aaa info, type 65 for auth "
Jul 30 20:11:20 <local0.debug> 127.0.0.2 07/30/2015:20:11:20 GMT  0-PPE-2 : default AAATM Message 380 0 :  "copying next factor ldapfactor in aaa info for user1 "
Jul 30 20:11:20 <local0.debug> 127.0.0.2 07/30/2015:20:11:20 GMT  0-PPE-2 : default SSLVPN Message 381 0 :  "LOGINSCHEMA: attribute extracted is 5 user1 "
Jul 30 20:11:20 <local0.debug> 127.0.0.2 07/30/2015:20:11:20 GMT  0-PPE-2 : default SSLVPN Message 382 0 :  "LOGINSCHEMA: Extracted attribute's length either 0 or greater than 1024, 0,  "
Jul 30 20:11:20 <local0.debug> 127.0.0.2 07/30/2015:20:11:20 GMT  0-PPE-1 : default SSLVPN Message 997 0 :  "updating session with policylabel:ldapfactor "
Jul 30 20:11:20 <local0.debug> 127.0.0.2 07/30/2015:20:11:20 GMT  0-PPE-2 : default SSLVPN Message 383 0 :  "updating session with policylabel:ldapfactor "
Jul 30 20:11:20 <local0.debug> 127.0.0.2 07/30/2015:20:11:20 GMT  0-PPE-2 : default SSLVPN Message 384 0 :  "updating session with policylabel:ldapfactor "
Jul 30 20:11:26 <local0.debug> 127.0.0.2 07/30/2015:20:11:26 GMT  0-PPE-1 : default SSLVPN Message 1007 0 :  "LOGINSCHEMA: attribute extracted is 5 user1 "
Jul 30 20:11:26 <local0.debug> 127.0.0.2 07/30/2015:20:11:26 GMT  0-PPE-1 : default SSLVPN Message 1008 0 :  "LOGINSCHEMA: Extracted attribute's length either 0 or greater than 1024, 0,  "
Jul 30 20:11:42 <local0.info> 127.0.0.2 07/30/2015:20:11:42 GMT  0-PPE-2 : default SSLVPN Message 392 0 :  "LOGIN: CGI/LOGIN: Continuing auth for user user1 at factor ldapfactor with login schema login_ldap"
Jul 30 20:11:42 <local0.debug> 127.0.0.2 07/30/2015:20:11:42 GMT  0-PPE-2 : default SSLVPN Message 393 0 :  "aaad_authenticate_req: copying policylabel name ldapfactor to aaa info, type 65 for auth "
Jul 30 20:11:42 <local0.debug> 127.0.0.2 07/30/2015:20:11:42 GMT  0-PPE-2 : default SSLVPN Message 394 0 :  "sslvpn_extract_attributes_from_resp: attributes copied so far are 0_Ankita123@Ä Ö@citrix.com_Ankita123@citrix.com_Ankita123@citrix.com_Ankita123@citrix.com_Ankita123@citrix.com=_ankita123@citr "
Jul 30 20:11:42 <local0.info> 127.0.0.2 07/30/2015:20:11:42 GMT  0-PPE-2 : default AAA EXTRACTED_GROUPS 399 0 :  Extracted_groups "grp1,grp2,grp3,Group2,group1"