NetScaler nfactor AAA

[Chaitanya k]

Hi

We are trying to a new use case. When user uses their AD id(userid) they should be authenticated to AD. If they use email address, they should be authenticated at SAML URL. For this, I have created SAML server, AAA vserver, advanced policy (only username, only password and saml) and policy labels. In AAA vserver, I’ve used only username login schema. In AAA vserver authentication policy, I’ve added LDAP as first policy with NEXT factor as only password. This LDAP policy has an expression which will check if user’s input has @ character. I’ve added SAML policy as second policy. If LDAP policy fails, it will go to SAML policy.

When users open gateway vip, they get username page. When they enter userid LDAP policy checks if user input has @ character. As userid (user logon name) doesnt has @ character, NEXT Factor in LDAP policy is executed which is only password page. When users enter their password, they can login successfully.

When users open gateway vip and enter their email id, LDAP policy checks if userinput has @ character. As emailid has @ character, LDAP policy fails and SAML policy kicks in and shows SAML IDP page.

When executed this way, everything works as expected. But when I enter a typo in userid or a wrong userid, behind the scenes, that userid is validated in AD. When I enter a wrong userid or a typo, that userid validation fails and it is redirecting to SAML IDP page. Also if the password entered is wrong, it still redirects to storefront apps page and it fails there with “cannot complete your request” error.

In order to achieve our requirement how should I configure AAA vserver policies? Can someone please help?

Thanks,

Chaitanya

[Hemang Raval]

Hello Chaitanya,

You can use below config for same:

• Factor-1: Login Schema: Only Username
  • Policy 1: No-Auth, Expression: AAA.LOGIN.USERNAME.CONTAINS("@"), Next Factor - Factor2.1- SAML
  • Policy 2: No-Auth, Expression: true,Next Factor2.2-LDAP
• Factor 2.1-SAML:Login Schema: No Schema
  • Policy 1: SAML
• Factor 2.2-LDAP: Login Schema: Only Password, Make sure to use user expression as "AAA.LOGIN.USERNAME"

Below is visualiser sample: (I have use local instead of SAML)