When a Gateway or AAA vServer is deployed with 2 Factor Authentication, and SAML (NetScaler as Service Provider) is being used as the first factor, the NetScaler uses a cookie: NSC_NAME, to prefill the Username field of the second factor.

---

Instructions

When setting up the SAML Profile on the NetScaler, the SAML User Field will be used to extract a value from the Assertion and populate as the NSC_NAME cookie:


You also need to set the SAML Profile to Two Factor:



On the Gateway or AAA, you need to bind this SAML Policy as the first factor and your second factor:



With this set up, when we navigate to the Service Provider, and authenticate to the IdP, the Client will deliver the Assertion to https://<vServer_on_NS>/cgi/samlauth and the NetScaler will check the value set in the User Field to populate the NSC_NAME cookie






If you are facing issues with the NetScaler extracting the wrong values for the NSC_NAME cookie, specify the value in the Name field of the attribute.
This is in the event, if the Assertions are using attributes in something such as URN format, instead of plaintext

When using the NetScaler AAA or Gateway vServer with 2 factor, and SAML as the first factor, you can configure the Service Provider profile to exact an attribute from the Assertion and prefill it into the Username field for the second factor (e.g. LDAP, RADIUS, etc.)

https://docs.citrix.com/en-us/netscaler/12/aaa-tm/saml-authentication.html