This message was deleted.
# citrix-clouds
Slackbot
12/28/2023, 5:53 PMThis message was deleted.
r
Rob Zylowski
12/28/2023, 6:00 PMDid you create a separate resource location per forest? If its only for users you could use a connector appliance for multiple. If its for vdas you need separate windows cloud connectors and i assume you are using accounts in the domains with the vdas since you do t have trusts
c
Cory Zaner
12/28/2023, 6:02 PMYes separate resources and accounts. The complicated part is some of the users have the same accounts in each location
r
Rob Zylowski
12/28/2023, 6:14 PMYou mean they have multiple accounts. They will only be able to use the ine they log on with if you dont have trusts.
c
Cory Zaner
12/28/2023, 6:18 PMOk that’s good to know. But when we try to use an account that’s not in the primary zone (first one) we get an oid requirement in saml.
j
James Kindon
12/29/2023, 1:00 AMJust to confirm, in the above, Rob mentioned a separate Resource Location (as opposed to AD resources) for the Cloud Connectors living in the other Forests - is that how you have your RL's laid out currently?
c
Cory Zaner
12/29/2023, 1:02 AMYes
Domain 1 - RL 1
Domain 2 -RL 2
Cory Zaner
12/29/2023, 1:03 AMNo trust between domain 1 and 2
Cory Zaner
12/29/2023, 1:05 AMThe odd part is if the user is not in domain 1 it never tries the next resource location. It just error saying no Sid in saml.
Cory Zaner
12/29/2023, 1:08 AMAll app enumeration works fine, but when they open an app SSO break and I get a Sid mismatch error in FAS. It’s trying to match the Sid from
Domain 1 to domain 2 user.
j
James Kindon
12/29/2023, 3:20 AMHrmmm so in that sense, Citrix Cloud is doing exactly what it should be doing (enum is fine so it's trauling the domain), and the problem is more at the FAS/SAML side. Is this Okta or AzureAD (i refuse to dignify the name change)
👍 2
James Kindon
12/29/2023, 3:22 AMI can't see how your FAS servers will ever understand about uses in the other domain without a trust - I vaguely recall whiteboarding a very similar scenario here and we landed on FAS servers in each appropriate domain, but we also had Adaptive Auth which was going to be fronting it all I believe
r
Rob Zylowski
12/29/2023, 3:25 AMYes i think you’ll need fas severs in both domains assigned to the rl. Never tried this i can ask next week if we expect that to work.
c
Cory Zaner
12/29/2023, 3:48 AMYes we have FAS servers in each domain. I assumed it would just work. Yes using Azure Ad
Cory Zaner
12/29/2023, 3:49 AMThanks Rob that would be helpful
j
James Kindon
12/29/2023, 4:24 AMas a side thought, there was an enhancement with SAML 2.0 provider where you could play around with the UPN rather than SID -> I remember reading it, but would be out of my depth on how it all works these days https://docs.citrix.com/en-us/citrix-cloud/citrix-cloud-management/identity-access-management/saml-identity.html#create-and-map-c[…]-saml-attributes
c
Cory Zaner
12/29/2023, 4:45 AMYes we are using upn, this fixed my first issue. Now another issue when I added a new domain. We also opened a ticket.
Might play around with this: Attribute name for AD Domain: Default value is cip_domain.
Cory Zaner
01/04/2024, 9:05 PM@Rob Zylowski ever able to ask the team?
r
Rob Zylowski
01/04/2024, 11:36 PMNo sorry Cory i went on pto and didnt get back to it. ill ask now
c
Cory Zaner
01/05/2024, 2:56 AMThanks for checking we started building a user domain. Bit have 15 sites all airgapped.
Cory Zaner
02/05/2024, 9:32 PM@Rob Zylowski I submitted a ticket too, let me know if I can share it, maybe you can help get it some traction :)
Cory Zaner
02/07/2024, 2:14 PM82477735 ticket number