Configure SAML followed by LDAP or certificate authentication based on SAML attribute extraction in nFactor authentication

The following section describes the use case of LDAP or certificate authentication based on SAML attribute extraction in nFactor authentication.

SAML authentication in first factor with attribute extraction from SAML assertion

Assume a use case where, admins configure SAML authentication in a first factor with attribute extraction from SAML assertion. Based on the attributes extracted during the first factor, you can configure next factors, which can either have LDAP authentication or certificate authentication.

  1. Once you access the traffic management virtual server, you are redirected to the external SAML IdP for login (in this case, Shibboleth, as shown in the figure). Enter your login credentials. If logon is successful, SAML IdP sends the SAML response containing the attributes.

    SAML Shibboleth authentication

  2. When the SAML response is received at Citrix ADC appliance, it parses and extracts the attributes as configured in the SAML Action. The SAML assertion is verified, and you move to the second factor.

  3. The second factor is configured as passthrough (there is no logon page for this factor) with 2 NO_AUTHN policies. Based on the policy evaluation, you have configured a jump to either LDAP authentication factor or certificate authentication factor.


    NO_AUTHN policy means that in case the rule configured for this policy evaluates to true, then the Citrix ADC appliance does not perform any authentication. It points to the next factor that is configured.

  4. For example, say the SAML Action is configured to extract the UPN as attribute1, and the value of UPN is Now, one of the NO_AUTHN policy rules is configured to verify for the presence of string “”. If the policy evaluates to true, you can configure jump to the next factor having LDAP authentication. Similarly, policy can be configured for having next factor as certificate.

  5. When the LDAP factor is selected after SAML authentication, the logon page is displayed.

    LDAP authentication logon


    The user name value is pre-filled using the expression ${}, which extracts the user name from the first factor. Other fields such as, labels for user name and password can also be customized.

  6. The following image shows an example used for this representation of logon form.

    Logon form


    Based on the requirement, admins can modify the values of logon form.

  7. If the certificate factor is selected after SAML, the select certificate page is displayed.

    Select certificate


The setup can also be created through the nFactor Visualizer available in Citrix ADC version 13.0 and later.

nFactor visualizer SAML and LDAP

Perform the following by using the CLI

  1. Configure traffic management virtual server and authentication server.

    • add lb vserver lb_ssl SSL 443 -persistenceType NONE -cltTimeout 180 -AuthenticationHost -Authentication ON -authnVsName avn
    • add authentication vserver avn SSL 443 -AuthenticationDomain
  2. Configure a SAML policy with attribute extraction bound to authentication virtual server.

    • add authentication samlAction shibboleth -samlIdPCertName shib-idp-242 -samlSigningCertName nssp-cert -samlRedirectUrl "" -samlUserField samaccountname -samlRejectUnsignedAssertion OFF -samlIssuerName -Attribute1 UserPrincipalName –Attribute2 department
    • add authentication Policy saml -rule true -action shibboleth
    • bind authentication vserver avn -policy saml -priority 1 -nextFactor label1 -gotoPriorityExpression NEXT
  3. Configure a second factor.

    • add authentication loginSchema login2 -authenticationSchema noschema
    • add authentication Policy no_ldap -rule "http.req.user.attribute(1).contains(\"\")" -action NO_AUTHN
    • add authentication Policy no_cert -rule "http.req.user.attribute(2).contains(\"Sales\")" -action NO_AUTHN
    • add authentication policylabel label1 -loginSchema login2
    • bind authentication policylabel label1 -policyName no_ldap -priority 1 -gotoPriorityExpression NEXT -nextFactor ldapfactor
    • bind authentication policylabel label1 -policyName no_cert -priority 2 -gotoPriorityExpression NEXT -nextFactor certfactor
  4. Configure an LDAP authentication factor.

    • add authentication loginSchema login3 -authenticationSchema login1.xml
    • add authentication policylabel ldapfactor -loginSchema login3
    • bind authentication policylabel ldapfactor -policyName <LDAP Auth Policy> -priority 10 -gotoPriorityExpression END
  5. Configure a certificate factor authentication.

    • add authentication loginSchema login4 -authenticationSchema noschema
    • add authentication policylabel certfactor -loginSchema login4
    • bind authentication policylabel certfactor -policyName <Certificate Auth Policy> -priority 10 -gotoPriorityExpression END
  6. Bind the root certificate to the virtual server and enable Client Authentication.

    • bind ssl vserver avn -certkeyName <root cert name>-CA -ocspCheck Optional
    • set ssl vserver avn -clientAuth ENABLED -clientCert Optional

Configuring by using the nFactor Visualizer

  1. Navigate to Security > AAA-Application Traffic > nFactor Visualizer > nFactor Flows and click Add.

  2. Click + to add the nFactor flow.

  3. Add a factor. The name that you enter is the name of the nFactor flow.

  4. No Schema is needed for SAML authentication. Click Add Policy to create SAML policy for the first factor.

    Add a schema

    Note: For more information on SAML as SP, see Citrix ADC as a SAML SP.

  5. Add the SAML policy.

    Add SAML policy

  6. Click green + to add the next factor.

    Add next factor

  7. Create a decision box to check for the SAML attributes.

    Check decision box

  8. Click Add Policy to create a policy.

    Add policy

  9. Create a policy to check for the attribute “” with action NO_AUTHN.

    Policy no auth

  10. Select the previously created policy and click Add.

    Add policy

  11. Click green + sign to add a second policy.

  12. Follow steps 9 and 10. Bind the policy to check for attribute sales.

    Bind attribute sales

  13. To add the second factor for the attribute “,” Click the green + sign next to no_ldap policy.

    Add second factor

  14. Create a next factor for LDAP authentication.

    LDAP factor

  15. Click Add Schema for the second factor.

    Second schema

  16. Create an authentication login schema with schema “PrefilUserFormExpr.xml” for the second factor that has prefilled user name.

    Create authentication schema

  17. Click Add Policy to add the LDAP policy.

    Add LDAP policy


    For more information on creating LDAP authentication, see To configure LDAP authentication by using the configuration utility.

  18. Follow step 13. To add second factor for attribute sales, click green + sign next to no_cert.

    Add no cert policy

  19. Create a next factor for certificate authentication.

    Add cert auth

  20. Follow steps 15, 16, and 17. Add a schema for the certificate authentication and Add Cert Authentication Policy.


    For more information on certificate authentication, see Configuring and Binding a Client Certificate Authentication Policy.

  21. Click Done to save the configuration.

  22. To bind the created nFactor flow to an authentication, authorization, and auditing virtual server, click Bind to Authentication Server and click Create.

    Bind auth server


    Bind and unbind the nFactor flow through the option given in nFactor Flow under Show Bindings only.

Unbind the nFactor Flow

  1. Select the nFactor flow and click Show Bindings.

  2. Select the authentication virtual server and click Unbind.

Configure SAML followed by LDAP or certificate authentication based on SAML attribute extraction in nFactor authentication