in NetScaler, Traffic Management

Flexible SSO in build 10.5 56.12

The last couple of months we have seen lots of versions of the NetScaler comming from Citrix development. In the last maintenance release I have installed on my test systems (only yesterday), I found a long anticipated feature to dynamicaly “choose” the username and password being sent to a backend webserver by AAA.

In the latest maintenance builds, it came to attention that the LDAP-action now contain attribute fields. That made me curious on what might be possible “abusing” this new feature.

The actual problem we had was that some AAA protected backend servers needed the Upn of a user, others needed the SAMAccountName or perhaps an other attribute comming from Active Directory. Potentialy you could do a HTTP-CallOut to some API to “trade-in” a username/password combination to perform SSO to the backend server based on the initial AAA logon.

Here is what happened:

On my existing LDAP-Action:

In the action, we retrieve the “samAccountName” and attach this to attribute1 on the AAA server. This of course can be any valid LDAP attribute.

The first Application Axx1 needs Upn/password (NTLM based). I do not have to do anything, because the ssoNameAttribute is userPrincipalname

The second Application Axx2 needs samAccountName/password (basic authentication) for this I need to “trade-in” upn for samaccountname:

The third application Axx3 needs domainname\samaccountname -password:

The parameters “userExpression” and “Password” expression are new in the trafficActions. Be advised, the GUI might not be accepting any expressions here (will be fixed, no doubt). The CLI does.

Actualy both “userExpression” and “passwordExpression” are simple TEXT fields. So where the username/password might come from (think Stringmap / Callout / LDAP attribute / “P@ssword”..) does not matter.

Have fun with this..

What do you think?

Comment