This message was deleted.

Well, I got something working with Duo SSO as the first factor and LDAP as the second factor. In watching aaad.debug, I saw LDAP was giving me an ldap_search returned error. Sending reject to kernel for : useremailaddress@company.com, Rejecting with error code 4001. I edited my LDAP action and created a new Server Logon Name Attribute. I entered "mail". Saved the action and I was able to log in. I have Authentication turned off for the LDAP action. I'm not sure if this is the correct way of going about this or not.

you'd need to look at lines before the "sending reject to kernel" in this case because 4001 is just bad credentials.

receive_ldap_bind_event 0-0: Admin bind successful, attempting user search event for useremailaddress@company.com get_email_attribute 0-0: Email attribute: <mail>, length 5 ns_ldap_search 0-0: Searching for <<(& (=useremailaddress@company.com) (objectClass=*))>> from base <<DC=company,DC=com>> ns_ldap_search 0-0: For user useremailaddress@company.com, ldap_search returned error

Most of the time when people use the user@domain.xyz format the logon attribute is userprincipalname in my experience but could vary depending on how AD was setup

My UPN's do not match the email address. We will want users logging in with email over UPN.

LDAP is required for this OAuth scenario but then needs to be no auth action. So yea, without it, you will get the first error. Then with it, it will be no auth and essentially just do lookup that is requires.

So the key here is I must do SAML + LDAP. The LDAP action must include no auth and the matching user attribute sent through Duo for user matching. Sound right?

yup

If they did, it's not there now. https://help.duo.com/s/article/7705?language=en_US https://duo.com/docs/sso-citrix-netscaler The whole part of needing no auth LDAP after SAML and searching for UPN isn't in the docs. To be fair, their documentation is focused for on-prem NetScaler. So I don't know if Citrix DaaS throws a monkey wrench in.

@Matt Sliva do you still have issue?

No. I opened a case with Citrix and the first level confirmed I needed an unauthenticating LDAP factor after my SAML factor and to specify userprincipalname in my LDAP factor.

You can look at the article I wrote on Citrix Tech zone You have CLI for azure and Okta but same function with Duo I have it working. Here is the link https://docs.citrix.com/en-us/tech-zone/learn/poc-guides/adaptive-authentication-citrix-daas.html Can share with you tomorrow the CLI for Duk if you want

Yessir I have read your article over and over. Unless I’m missing something, it doesn’t talk about the requirement for LDAP after SAML and matching up the attributes. I apologize if I’m being critical, but it starts out great but gets over complicated at the group extraction part. I have to figure for most use cases, an admin just wants to be able to configure their DaaS Adaptive Access for MFA with SAML and be done with it. It also took me the longest time to understand the cloud connector tunnel concept. I couldn’t figure out how devices running in an airgapped data center on the internet could communicate to internal AD servers in my network.

So LDAP after SAML is not required but a check to ensure SAML ticket is for the same user as first factor.