Passing additional LDAP attribute fields to Netscaler for SAML/SSO

pjd · ‎09-05-2017

I’m investigating setting up Citrix Unified Gateway in NS 11.1 using Duo for 2FA. Before setting up Duo auth, I used standard LDAP authentication, which allowed me to add an additional field (mail) for use with SSO logins to Citrix Sharefile. Sharefile uses email instead of usernames for SSO login, so you can either have users log in with their email address, or you can use standard username and pass an additional LDAP attribute (mail) for SSO. I was able to successfully set up SSO into Sharefile from the UG portal using basic LDAP authentication on the Netscaler. Once I enabled Duo authentication, however, this ceased to work. I realized that it was likely because the mail attribute was no longer being passed. Reading some of the various setup guides I saw a parameter pass_through_all=true that I have added to my radius_server_iframe and _auto sections of my authproxy.cfg file to no avail. Is there a way to pass that particular LDAP attribute using Duo login?

DuoKristina · ‎09-06-2017

Did you use the NetScaler “primary” Duo setup where the Duo authentication proxy handles both primary and secondary authentication over RADIUS?

If so, you may want to switch to our alternate configuration where you continue to use LDAP authentication for NetScaler primary to AD or whatever LDAP directory you use, and then add Duo for secondary authentication only. That way your primary LDAP config could continue sending the additional mail attribute to ShareFile.

The pass_through_all option is only valid when the upstream primary authentication server is RADIUS, and means that additional RADIUS attributes sent by the requesting device or by the upstream RADIUS auth server not specifically used for authentication are preserved in the request.

Thanks for trying Duo!

Duo, not DUO.