How to support multiple domain SSO to StoreFront from NetScaler with user "distinguishedName" attribute

Instructions

When the UPN of the username is not matched with the domain suffix , this may cause SSO failure to StoreFront if we set to SSO with UPN.

In this situation, we can extract the domain information from the "distinguishedName" attribute for the users. And then SSO with username as well as domain.

1. change the LDAP settings to extract the distinguishedName attribute for users

 set authentication ldapAction <ldap_action> -Attributes distinguishedName

2.Create different Session Action and set different SSO domain .

For web login:
add vpn sessionAction AC_WB_xxx_domain1 -transparentInterception OFF -defaultAuthorizationAction ALLOW -SSO ON -ssoCredential PRIMARY -icaProxy ON -wihome "<storefront_url>" -ClientChoices OFF -clientlessVpnMode OFF -sfGatewayAuthType domain -ntDomain <domain1.example.com>
add vpn sessionAction AC_WB_xxx_domain2 -transparentInterception OFF -defaultAuthorizationAction ALLOW -SSO ON -ssoCredential PRIMARY -icaProxy ON -wihome "<storefront_url>" -ClientChoices OFF -clientlessVpnMode OFF -sfGatewayAuthType domain -ntDomain <domain2.example.com>

For Workspace client login:
add vpn sessionAction AC_OS_xxx_domain1  -transparentInterception OFF -defaultAuthorizationAction ALLOW -SSO ON -ssoCredential PRIMARY -icaProxy ON -wihome "<storefront_url>" -ClientChoices OFF -ntDomain <domain1.example.com> -clientlessVpnMode OFF -storefronturl "<storefront_url>" -sfGatewayAuthType domain
add vpn sessionAction AC_OS_xxx_domain2-transparentInterception OFF -defaultAuthorizationAction ALLOW -SSO ON -ssoCredential PRIMARY -icaProxy ON -wihome "<storefront_url>" -ClientChoices OFF -ntDomain <domain2.example.com> -clientlessVpnMode OFF -storefronturl "<storefront_url>" -sfGatewayAuthType domain

3.Create different Session Policy to match different "distinguishedName" and use different Session Action. 

For web login:
add vpn sessionPolicy PL_WB_xxx_domain1   "HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"CitrixReceiver\").NOT&&AAA.USER.ATTRIBUTE(\"distinguishedName\").SET_TEXT_MODE(IGNORECASE).CONTAINS(\"DC=domain1,DC=example,DC=com\")" AC_WB_xxx_domain1
add vpn sessionPolicy PL_WB_xxx_domain2  "HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"CitrixReceiver\").NOT&&AAA.USER.ATTRIBUTE(\"distinguishedName\").SET_TEXT_MODE(IGNORECASE).CONTAINS(\"DC=domain2,DC=example,DC=com\")" AC_WB_xxx_domain2

For Workspace client login:
add vpn sessionPolicy PL_OS_xxx_domain1   "HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"CitrixReceiver\")&&AAA.USER.ATTRIBUTE(\"distinguishedName\").SET_TEXT_MODE(IGNORECASE).CONTAINS(\"DC=domain1,DC=example,DC=com\")" AC_OS_xxx_domain1
add vpn sessionPolicy PL_OS_xxx_domain2  "HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"CitrixReceiver\")&&AAA.USER.ATTRIBUTE(\"distinguishedName\").SET_TEXT_MODE(IGNORECASE).CONTAINS(\"DC=domain2,DC=example,DC=com\")" AC_OS_xxx_domain2

4. Bind the session policy to the gateway virtual server

bind vpn vserver <vserver_name> -policy PL_WB_xxx_domain1 -priority 70 -gotoPriorityExpression END -type REQUEST
bind vpn vserver <vserver_name> -policy PL_WB_xxx_domain2 -priority 72 -gotoPriorityExpression END -type REQUEST

bind vpn vserver <vserver_name> -policy PL_OS_xxx_domain1 -priority 80 -gotoPriorityExpression END -type REQUEST
bind vpn vserver <vserver_name> -policy PL_OS_xxx_domain2 -priority 82 -gotoPriorityExpression END -type REQUEST