Forum Discussion

Dusty_Camp's avatar
Icon for Altocumulus rankAltocumulus
Dec 15, 2023

APM SSO Credential Mapping 2FA Grid Card

Really having some trouble with this one. I have an ancient grid card system for two factor authentication. It works just fine through APM when logging into Citrix Storefront. The issue is I can't get the SSO mapping to work correctly. I need the username and password passed down to Storefront after all authentication is done. 

The way the authentication is done now is the user gets a logon page, enters AD creds, and then gets another prompt with a three character grid card challenge. Each user has their own unique grid card and they respond to that challenge. When using the SSO Credentials Mapping it seems that the grid card challenge answer is causing issues with pulling the last password. Storefront only accepts the original AD creds input initially. This all works fine if I don't do Radius and just use LDAPS, but I need the 2FA for compliance reasons. Any suggestions? 

I'll upload an image later but right now my VPE looks like this:

Logon page -> Radius Auth -> SSO Creds Map -> Allow

The Radius server does both the AD authentication and grid card challenge. I do have the option of breaking that up though and doing AD Auth separately as long as I provide those creds to the Radius server to get the correct grid card challenge. I would then need to provide the same AD creds given to Radius to Storefront at the allow ending. 

1 Reply

  • Hello

    I would Advise to use a variable assign block before the RADIUS AUTH block to preserve the password retrieved from logon page. 

    In Variable assign create a custom variable, lets say user.custom.password, type secure, and put "user.custom.password = session.logon.last.password".

    in sso credentials mapping put sso.token.last.password = user.custom.password 

    Hope this helps