Configure email ID (or user name) input based group extraction at first factor to decide the next factor authentication flow

Consider an organization which has the following three departments (groups), Employee, Partner, and Vendor. The Citrix ADC appliance can be configured to extract user’s group based on the email ID or the AD user name provided by the user in the first factor logon form. Based on the group a user belongs to, Citrix ADC presents an authentication method (LDAP, SAML, OAuth, and so on) as shown is the following table as an example.

Group Name Factor
Employee Single Auth (Username/Password)
Partner OAuth (redirects to different IdP)
Vendor SAML (redirects to different IdP)

The following diagram shows a high level interaction between a user and the Citrix ADC appliance for the previously mentioned use case.


  1. User logs in to Citrix Workspace and gets redirected to an authentication virtual server.
  2. Citrix ADC presents a logon form to enter email ID (or user name).


  3. User enters the Email ID (or user name).
  4. Citrix ADC presents a logon form based on the group extracted using the provided email ID (or user name).

Configure email ID (or user name) input based group extraction at first factor to decide the next factor authentication using CLI


A load balancing virtual server is configured with authentication enabled.

Configure authentication virtual server for email based group extraction


You can modify OnlyUsername.xml schema to create a customized login schema (emailOnlyLSchema) in this case.

Create login schema policy using email login schema created in the previous step and bind to the authentication virtual server

add authentication loginSchema lschema_only_email -authenticationSchema "/nsconfig/loginschema/only_email.xml"

add authentication loginSchemaPolicy lschema_only_email_pol -rule true -action lschema_only_email

bind authentication vserver abs_sp_auth_vs -policy lschema_only_email_pol -priority 100 -gotoPriorityExpression END

Create an LDAP authentication policy for group extraction


ldapLoginName is “mail” for email ID based login, whereas -ldapLoginName is “samAccountName” for username based login.

add authentication ldapAction aaa_local_grp_extraction -serverIP -ldapBase "OU=ABSOU,dc=aaa,dc=local" -ldapBindDn administrator@aaa.local -ldapBindDnPassword xxxx -ldapLoginName mail -groupAttrName memberOf -subAttributeName CN -secType TLS -authentication DISABLED

add authentication Policy aaa_local_grp_extraction_pol -rule true -action aaa_local_grp_extraction

Extracted group based policy configuration

Create next factor for Employee, Partner, Vendor Groups using policy labels

add authentication loginSchema lschema_noschema -authenticationSchema noschema
add authentication policylabel plabel_noauth_Employee_Partner_Vendor -loginSchema lschema_noschema

add authentication Policy noauth_Employee_pol -rule "AAA.USER.IS_MEMBER_OF(\"Employee\")" -action NO_AUTHN
add authentication Policy noauth_Partner_pol -rule "AAA.USER.IS_MEMBER_OF(\"Partner\")" -action NO_AUTHN
add authentication Policy noauth_Vendor_pol -rule "AAA.USER.IS_MEMBER_OF(\"Vendor\")" -action NO_AUTHN

Create a single Auth policy factor (LDAP is used as an example for this configuration)

add authentication loginSchema lschema_singleauth_Employee -authenticationSchema "/nsconfig/loginschema/LoginSchema/SingleAuth.xml"

add authentication policylabel plabel_singleauth_Employee -loginSchema lschema_singleauth_Employee

add authentication ldapAction aaa_local_pwd_act -serverIP -ldapBase "OU=ABSOU,dc=aaa,dc=local" -ldapBindDn administrator@aaa.local -ldapBindDnPassword xxxx -ldapLoginName samAccountName -groupAttrName memberOf -subAttributeName CN -secType TLS -ssoNameAttribute userPrincipalName -passwdChange ENABLED -nestedGroupExtraction ON -maxNestingLevel 7 -groupNameIdentifier sAMAccountName -groupSearchAttribute memberOf -groupSearchSubAttribute CN -defaultAuthenticationGroup ldapDefaultAuthGroup -Attribute1 userPrincipalName -Attribute2 mail

add authentication Policy aaa_local_pwd_pol -rule true -action aaa_local_pwd_act

bind authentication policylabel plabel_singleauth_Employee -policyName aaa_local_pwd_pol -priority 100 -gotoPriorityExpression NEXT

Create OAuth Policy for redirecting to OAuth IdP

add authentication policylabel plabel_oauth_Partner

add authentication OAuthAction oauth_sp_act -authorizationEndpoint <authorization-endpoint> -tokenEndpoint <token-endpoint> -clientID <client-id> -clientSecret <client-secret> -CertEndpoint <cert-endpoint> -userNameField <user-name>

add authentication Policy oauth_sp_pol -rule true -action oauth_sp_act

bind authentication policylabel plabel_oauth_Partner -policyName oauth_sp_pol -priority 100 -gotoPriorityExpression NEXT

Create SAML Policy for redirecting to SAML IdP

add authentication policylabel plabel_saml_Vendor

add authentication samlAction saml_sp_act -samlIdPCertName <IDP-CertKeyName> -samlRedirectUrl <Redirect-url> -samlIssuerName <Issuer-Name>

add authentication Policy saml_sp_pol -rule true -action saml_sp_act 

bind authentication policylabel plabel_saml_Vendor -policyName saml_sp_pol -priority 100 -gotoPriorityExpression NEXT

Bind all three policy factors to plabel_noauth_Employee_Partner_Vendor

bind authentication policylabel plabel_noauth_Employee_Partner_Vendor -policyName noauth_Employee_pol -priority 100 -gotoPriorityExpression NEXT -nextFactor plabel_singleauth_Employee

bind authentication policylabel plabel_noauth_Employee_Partner_Vendor -policyName noauth_Partner_pol -priority 110 -gotoPriorityExpression NEXT -nextFactor plabel_oauth_Partner

bind authentication policylabel plabel_noauth_Employee_Partner_Vendor -policyName noauth_Vendor_pol -priority 120 -gotoPriorityExpression NEXT -nextFactor plabel_saml_Vendor

Bind group based policy label as nextFactor for group extraction authentication policy

bind authentication vserver abs_sp_auth_vs -policy aaa_local_grp_extraction_pol -priority 100 -nextFactor plabel_noauth_Employee_Partner_Vendor -gotoPriorityExpression NEXT

Configure email ID (or user name) input based group extraction at first factor to decide the next factor authentication by using the nFactor Visualizer

  1. Navigate to Security > AAA-Application Traffic > nFactor Visualizer > nFactor Flow and click Add.
  2. Click + to add the nFactor flow.

  3. Add a factor for group extraction with LDAP group extraction policy using EmailOnlyLoginSchema. The name that you enter is the name of the nFactor flow. Click Create.


  4. Click Add Schema on the nFactor block. To create a customized login schema (emailOnlyLSchema in this case), you can edit the built in OnlyUsername.xml schema.


  5. Create an authentication login schema using the created login schema file.


  6. Choose a login schema from the Authentication Login Schema list and click OK.


  7. Create an LDAP server for group extraction with authentication disabled to be used for authentication policy creation. For more information on creating LDAP authentication, see, Configuring LDAP Authentication.


  8. Click Other Settings to specify the following values for the LDAP server. LDAP login name – mail; Group Attribute - MemberOf; Sub Attribute Name - cn.


  9. Click Add Policy and click Add to create a group extraction authentication policy.

  10. Click the green + sign on the emailbasedGroupExtraction block to create decision blocks for the next factors.


  11. On Next Factor to Connect screen, select Create decision block, enter a name for the decision block, and click Create.


  12. Create an authentication policy for each destination group for the respective decision blocks. For example, Group based authentication factor for AD Group “Employee”.


  13. The following diagram shows the nFactor flow after all the decision blocks are created.


  14. Once all the decision blocks are created, bind all the group based decision blocks to the respective authentication factors. For example, Employee group, can have a user name and password authentication factor.


  15. Choose login schema from the Authentication Login Schema drop-down menu and click Add.


  16. Choose the authentication policy and click Add.


  17. Once all group based decision blocks are configured with authentication policies as factors, the nFactor flow looks like the following diagram.


  18. Click Bind to Authentication Server and click Create.

  19. Select the authentication virtual server and click nFactor Flow.


  20. Choose the nFactor flow under Select nfactor Flow field and click Add.


  21. Bind this flow to the authentication, authorization, and auditing virtual server.

Unbind the nFactor

  1. Select the nFactor flow and click Show Bindings.
  2. Select the authentication virtual server and click Unbind.
Configure email ID (or user name) input based group extraction at first factor to decide the next factor authentication flow