Home > Configuration > Authentication

Use this method to add a new adfsproxy profile on the Citrix ADC.

Use this method to creates an authentication profile to hold all authentication related configuration for TM vserver.

Use this method to creates a Azure key vault profile. This profile is used to interact with azure services for data signature and storage.

Use this method to creates a captcha action.

Use this method to adds an action (profile) for a client certificate (cert) authentication server.
The profile contains all configuration data necessary to communicate with that client cert authentication server.

Use this method to adds a client certificate (cert) authentication policy.
The policy defines the criteria under which the Citrix ADC attempts to authenticate the user with the specified client cert authentication server.

Use this method to creates a Citrix Authentication action. This profile is used to interact with Citrix services for validating user credentials.

Use this method to creates an action (profile) for a DFA server.
The profile contains all configuration data necessary to communicate with that DFA server.

Use this method to adds an DFA authentication policy.
The policy defines the criteria under which the Citrix ADC attempts to authenticate the user with the specified Web server.

Use this method to adds an email action that is used to send email to end users.

Use this method to adds an action (profile) for endpoint analysis (EPA) clients before authentication.

Use this method to creates an action (profile) for an LDAP server.
This profile contains all configuration data needed to communicate with that LDAP server.

Use this method to adds an LDAP authentication policy.
The policy defines the criteria under which the Citrix ADC attempts to authenticate the user with the specified LDAP server.

Use this method to adds a policy for the Citrix ADC to locally authenticate a user.
The policy contains criteria that specify when and how to authenticate a user.

Use this method to creates a LoginSchema. This profile is used to send authentication requirements to the UI tier for login

Use this method to adds a LoginSchema policy for use in login parameter selection.

Use this method to creates an action (profile) for an Active Directory (AD) server that is used as a Kerberos Key Distribution Center (KDC).
The profile contains all configuration data necessary to communicate with that AD KDC server.

Use this method to adds an Active Directory (AD) Kerberos Key Distribution Center (KCD) authentication policy (negotiate policy).
The policy defines the criteria under which the Citrix ADC attempts to authenticate the user with the specified AD KCD server.

Use this method to creates a noauth action. This action implies implicit success and inherits the default group. It could be used to craft policy decisions by giving default group.

Use this method to adds an action to be used for OAuth authentication.

Use this method to adds a OAuth Identity Provider (IdP) policy to use for use in authentication.

Use this method to creates a OAuth IdP profile. This profile is used in verifying incoming authentication request from Reousece Server, and sending token.

Use this method to adds an advanced authentication policy.
The policy defines the criteria under which the Citrix ADC attempts to authenticate the user.

Use this method to creates a user-defined authentication policy label.

Use this method to adds an action to be used for protected user authentication.

Use this method to add a new push service entity on the Citrix ADC. The Push service will be configured with well known pre-defined default values for Namespace (https://mfa.cloud.com/) and Trust Service (https://trust.citrixworkspacesapi.net/) endpoints

Use this method to creates an action (profile) for a RADIUS server.
The profile contains all configuration data necessary to communicate with that RADIUS server.

Use this method to adds a RADIUS authentication policy.
The policy defines the criteria under which the Citrix ADC attempts to authenticate the user with the RADIUS server.

Use this method to creates an action (profile) for a Security Assertion Markup Language (SAML) server.
The profile contains all configuration data necessary to communicate with that SAML server.

Use this method to adds a SAML Identity Provider (IdP) policy to use for use in authentication.

Use this method to creates a SAML single IdP profile. This profile is used in verifying incoming authentication request from Service Provider and creating and signing Assertion that is sent to the same.

Use this method to adds a SAML authentication policy.
The policy defines the criteria under which the Citrix ADC attempts to authenticate the user with the specified SAML server.

Use this method to adds an Smartaccess authentication policy.

Use this method to creates a Smartaccess profile with the given tag name.

Use this method to adds an action to be used for authentication using storefront server.

Use this method to creates an action (profile) for a TACACS+ server.
The profile contains all configuration data necessary to communicate with that TACACS+ server.

Use this method to adds a TACACS+ authentication policy.
The policy defines the criteria under which the Citrix ADC attempts to authenticate the user with the specified TACACS+ server.

Use this method to creates an authentication virtual server.

Use this method to adds an action to be used for web authentication.
* Specify the entire HTTP request in a single expression.

Use this method to adds an WebAuth authentication policy.
The policy defines the criteria under which the Citrix ADC attempts to authenticate the user with the specified Web server.

Use this method to bind policy to authentication policylabel.

Use this method to bind policy to authentication vserver.

Use this method to bind portaltheme to authentication vserver.

Use this method to disables an authentication virtual server, taking it out of service.

Use this method to enables an authentication virtual server that is disabled.
Note: Virtual servers, when added, are normally enabled by default.

Use this method to get all the configured adfsproxyprofile entities in the system. If a name is specified, then only that entity is shown.

Use this method to get the current configuration for the authentication profile specified

Use this method to get information about all configured Azure key vaults, or displays detailed information about the specified vault.

Use this method to get information about all configured actions, or displays detailed information about the specified action.

Use this method to get the current configuration settings for the specified client cert authentication server profile (action).

Use this method to get the current settings for the specified client cert authentication policy.

Use this method to get information about all configured Citrix authentication actions, or displays detailed information about specified action.

Use this method to get the current configuration settings for the specified DFA profile (action).

Use this method to get the current settings for the specified DFA policy.

Use this method to get information about all configured email actions, or displays detailed information about the specified action.

Use this method to get details of the specified epa action.

Use this method to get the current configuration settings for the specified LDAP profile (action).

Use this method to get the current settings for the specified LDAP policy.

Use this method to get the current settings for the specified local authentication policy.

Use this method to get information about all configured login schema, or displays detailed information about the specified schema.

Use this method to get information about all configured LoginSchema policies, or displays detailed information about the specified policy.

Use this method to get the current configuration settings for the specified AD KDC server profile (negotiate action).

Use this method to get the current settings for the specified AD KCD (negotiate) policy.

Use this method to get information about all configured actions, or displays detailed information about the specified action.

Use this method to get information about the configured OAuth authentication action.

Use this method to get information about all configured OAuth Identity Provider (IdP) authentication policies, or displays detailed information about the specified policy.

Use this method to get information about all configured OAuth IdP profiles, or displays detailed information about the specified action.

Use this method to get the current settings for the specified advance authentication policy.

Use this method to get the current settings for the specified authentication policy label.

Use this method to get information about the configured protected user authentication action.

Use this method to get all the configured push service entities in the system. If a name is specified, then only that entity is shown.

Use this method to get the current configuration settings for the specified RADIUS profile (action).

Use this method to get the current settings for the specified RADIUS authentication policy.

Use this method to get the current configuration settings for the specified SAML server profile (action).

Use this method to get information about all configured SAML Identity Provider (IdP) authentication policies, or displays detailed information about the specified policy.

Use this method to get information about all configured saml single sign-on profiles, or displays detailed information about the specified action.

Use this method to get the current settings for the specified SAML policy.

Use this method to get the current settings for the specified Smartaccess policy.

Use this method to get information about the specified Smartaccess profile given the name.

Use this method to get information about the configured storefront authentication action.

Use this method to get the current configuration settings for the specified TACACS+ profile (action).

Use this method to get the current settings for the specified TACACS+ policy.

Use this method to get the configuration of the specified authentication virtual server.

Use this method to get information about the configured web authentication action.

Use this method to get the current settings for the specified WebAuth policy.

Use this method to renames the specified LoginSchema policy.

Use this method to renames the specified OAuth IdentityProvider (IdP) policy. You must restart the Citrix ADC to put new name in effect.

Use this method to renames the specified authentication policy.

Use this method to rename a authn policy label.

Use this method to renames the specified SAML IdentityProvider (IdP) policy. You must restart the Citrix ADC to put new name in effect.

Use this method to rename an authentication virtual server.

Use this method to remove previously configured adfsproxy profile on Citrix ADC.

Use this method to removes an authentication profile.
A profile cannot be removed as long as it is set to a vserver.

Use this method to deletes an existing Azure key vault.

Use this method to deletes an existing captcha action.

Use this method to removes an existing client cert authentication server profile (action).

Use this method to removes a client cert authentication policy.

Use this method to deletes an existing Citrix authentication action.

Use this method to removes a DFA profile (action).
An action cannot be removed as long as it is bound to a policy.

Use this method to removes an DFA policy.

Use this method to deletes an existing email action.

Use this method to removes an epa action.
NOTE: An epa action cannot be removed if it is bound to a policy.

Use this method to removes an LDAP profile (action).
NOTE: An action cannot be removed if it is bound to a policy.

Use this method to removes an LDAP policy.

Use this method to removes the specified local authentication policy.

Use this method to deletes an existing LoginSchema.

Use this method to removes an existing LoginSchema policy.

Use this method to removes an AD KDC server profile (negotiate action). An action cannot be removed if it is bound to a policy.

Use this method to removes the specified AD KCD (negotiate) policy.

Use this method to deletes an existing noauth action.

Use this method to removes a OAuth authentication action. You cannot remove an action that is used in any part of a policy.

Use this method to removes an existing OAuth Identity Provider (IdP) policy.

Use this method to deletes an existing OAuth IdP profile.

Use this method to removes the advance authentication policy.

Use this method to removes an authorization policy label.

Use this method to removes a protected user authentication action. You cannot remove an action that is used in any part of a policy.

Use this method to remove a push service entity on the Citrix ADC

Use this method to removes a RADIUS profile (action).
An action cannot be removed as long as it is bound to a policy.

Use this method to removes a RADIUS authentication policy.

Use this method to removes a SAML profile (action).
An action cannot be removed if it is bound to a policy.

Use this method to removes an existing SAML Identity Provider (IdP) policy.

Use this method to deletes an existing saml IdP profile.

Use this method to removes the specified SAML policy.

Use this method to removes an Smartaccess policy.

Use this method to deletes an already present Smartaccess profile.

Use this method to removes a storefront authentication action. You cannot remove an action that is used in any part of a policy.

Use this method to removes a TACACS+ profile (action).
A profile cannot be removed as long as it is bound to a policy.

Use this method to removes the specified TACACS+ policy.

Use this method to removes an authentication virtual server.

Use this method to removes a web authentication action. You cannot remove an action that is used in any part of a policy.

Use this method to removes an WebAuth policy.

Use this method to set sSL certificate of the proxy that is registered at adfs server for trust.

Use this method to set this is the password of an account in directory that would be used to authenticate trust request from ADC acting as a proxy.

Use this method to set fully qualified url of the adfs server.

Use this method to set this is the name of an account in directory that would be used to authenticate trust request from ADC acting as a proxy.

Use this method to set domain for which TM cookie must to be set. If unspecified, cookie will be set for FQDN.

Use this method to set hostname of the authentication vserver to which user must be redirected for authentication.

Use this method to set authentication weight or level of the vserver to which this will bound. This is used to order TM vservers based on the protection required. A session that is created by authenticating against TM vserver at given level cannot be used to access TM vserver at a higher level.

Use this method to set name of the authentication vserver at which authentication should be done.

Use this method to set if authentication is disabled, otp checks are not performed after azure vault keys are obtained. This is useful to distinguish whether user has registered devices.

Use this method to set unique identity of the relying party requesting for authentication.

Use this method to set unique secret string to authorize relying party at authorization server.

Use this method to set this is the group that is added to user sessions that match current IdP policy. It can be used in policies to identify relying party trust.

Use this method to set name of the service used to send push notifications

Use this method to set interval at which access token in obtained.

Use this method to set friendly name of the Key to be used to compute signature.

Use this method to set algorithm to be used to sign/verify transactions

Use this method to set tenantID of the application. This is usually specific to providers such as Microsoft and usually refers to the deployment identifier.

Use this method to set uRL endpoint on relying party to which the OAuth token is to be sent.

Use this method to set name of the Azure vault account as configured in azure portal.

Use this method to set this is the group that is added to user sessions that match current policy.

Use this method to set this is the score threshold value for recaptcha v3.

Use this method to set secret of gateway as established at the captcha source.

Use this method to set this is the endpoint at which captcha response is validated.

Use this method to set sitekey to identify gateway fqdn while loading captcha.

Use this method to set this is the default group that is chosen when the authentication succeeds in addition to extracted groups.

Use this method to set client-cert field from which the group is extracted. Must be set to either ""Subject"" and ""Issuer"" (include both sets of double quotation marks).
Format: :

Use this method to set enables or disables two-factor authentication.
Two factor authentication is client cert authentication followed by password authentication.

Use this method to set client-cert field from which the username is extracted. Must be set to either ""Subject"" and ""Issuer"" (include both sets of double quotation marks).
Format: :.

Use this method to set name of the client cert authentication action to be performed if the policy matches.

Use this method to set name of the Citrix ADC named rule, or an expression, that the policy uses to determine whether to attempt to authenticate the user with the authentication server.

Use this method to set authentication needs to be disabled for searching user object without performing authentication.

Use this method to set type of the Citrix Authentication implementation. Default implementation uses Citrix Cloud Connector.

Use this method to set if configured, this string is sent to the DFA server as the X-Citrix-Exchange header value.

Use this method to set this is the default group that is chosen when the authentication succeeds in addition to extracted groups.

Use this method to set key shared between the DFA server and the Citrix ADC.
Required to allow the Citrix ADC to communicate with the DFA server.

Use this method to set dFA Server URL

Use this method to set the new DFA action to associate with the policy.

Use this method to set the new rule to associate with the policy.

Use this method to set content to be delivered to the user. "$code" string within the content will be replaced with the actual one-time-code to be sent.

Use this method to set this is the group that is added to user sessions that match current IdP policy. It can be used in policies to identify relying party trust.

Use this method to set an optional expression that yields user's email. When not configured, user's default mail address would be used. When configured, result of this expression is used as destination email address.

Use this method to set password/Clientsecret to use when authenticating to the server.

Use this method to set address of the server that delivers the message. It is fully qualified fqdn such as http(s):// or smtp(s):// for http and smtp protocols respectively. For SMTP, the port number is mandatory like smtps://smtp.example.com:25.

Use this method to set time after which the code expires.
NOTE: This attribute is deprecated.
This attribute is deprecated and configuring it will have no effect.

Use this method to set type of the email action. Default type is SMTP.

Use this method to set username/Clientid/EmailID to be used to authenticate to the server.

Use this method to set it holds the ClientSecurityExpression to be sent to the client

Use this method to set this is the default group that is chosen when the EPA check succeeds.

Use this method to set string specifying the path(s) and name(s) of the files to be deleted by the endpoint analysis (EPA) tool. Multiple files to be delimited by comma

Use this method to set parameter to enable/disable device posture service scan

Use this method to set string specifying the name of a process to be terminated by the endpoint analysis (EPA) tool. Multiple processes to be delimited by comma

Use this method to set this is the quarantine group that is chosen when the EPA check fails
if configured.

Use this method to set the NetScaler appliance uses the alternateive email attribute to query the Active Directory for the alternative email id of a user

Use this method to set expression that would be evaluated to extract attribute1 from the ldap response

Use this method to set expression that would be evaluated to extract attribute10 from the ldap response

Use this method to set expression that would be evaluated to extract attribute11 from the ldap response

Use this method to set expression that would be evaluated to extract attribute12 from the ldap response

Use this method to set expression that would be evaluated to extract attribute13 from the ldap response

Use this method to set expression that would be evaluated to extract attribute14 from the ldap response

Use this method to set expression that would be evaluated to extract attribute15 from the ldap response

Use this method to set expression that would be evaluated to extract attribute16 from the ldap response

Use this method to set expression that would be evaluated to extract attribute2 from the ldap response

Use this method to set expression that would be evaluated to extract attribute3 from the ldap response

Use this method to set expression that would be evaluated to extract attribute4 from the ldap response

Use this method to set expression that would be evaluated to extract attribute5 from the ldap response

Use this method to set expression that would be evaluated to extract attribute6 from the ldap response

Use this method to set expression that would be evaluated to extract attribute7 from the ldap response

Use this method to set expression that would be evaluated to extract attribute8 from the ldap response

Use this method to set expression that would be evaluated to extract attribute9 from the ldap response

Use this method to set list of attribute names separated by ',' which needs to be fetched from ldap server.
Note that preceeding and trailing spaces will be removed.
Attribute name can be 127 bytes and total length of this string should not cross 2047 bytes.
These attributes have multi-value support separated by ',' and stored as key-value pair in AAA session

Use this method to set perform LDAP authentication.
If authentication is disabled, any LDAP authentication attempt returns authentication success if the user is found.
CAUTION! Authentication should be disabled only for authorization group extraction or where other (non-LDAP) authentication methods are in use and either bound to a primary list or flagged as secondary.

Use this method to set number of seconds the Citrix ADC waits for a response from the RADIUS server.

Use this method to set the Citrix ADC uses the cloud attributes to extract additional attributes from LDAP servers required for Citrix Cloud operations

Use this method to set this is the default group that is chosen when the authentication succeeds in addition to extracted groups.

Use this method to set the Citrix ADC uses the email attribute to query the Active Directory for the email id of a user

Use this method to set setting this option to ON enables following LDAP referrals received from the LDAP server.

Use this method to set lDAP group attribute name.
Used for group extraction on the LDAP server.

Use this method to set knowledgeBasedAuthentication(KBA) attribute on AD. This attribute is used to store and retrieve preconfigured Question and Answer knowledge base used for KBA authentication.

Use this method to set base (node) from which to start LDAP searches.
If the LDAP server is running locally, the default value of base is dc=netscaler, dc=com.

Use this method to set full distinguished name (DN) that is used to bind to the LDAP server.
Default: cn=Manager,dc=netscaler,dc=com

Use this method to set password used to bind to the LDAP server.

Use this method to set hostname for the LDAP server. If -validateServerCert is ON then this must be the host name on the certificate from the LDAP server.
A hostname mismatch will cause a connection failure.

Use this method to set lDAP login name attribute.
The Citrix ADC uses the LDAP login name to query external LDAP servers or Active Directories.

Use this method to set mSSRV Specific parameter. Used to locate the DNS node to which the SRV record pertains in the domainname. The domainname is appended to it to form the srv record.
Example : For "dc._msdcs", the srv record formed is _ldap._tcp.dc._msdcs..

Use this method to set allow nested group extraction, in which the Citrix ADC queries external LDAP servers to determine whether a group is part of another group.

Use this method to set oneTimePassword(OTP) Secret key attribute on AD. This attribute is used to store and retrieve secret key used for OTP check

Use this method to set allow password change requests.

Use this method to set this feature configures NetScaler management access to use LDAP exclusively for retrieving user group information. It ensures that LDAP is not used for authenticating user logins (i.e., verifying passwords) for NetScaler management access.

Use this method to set name of the service used to send push notifications

Use this method to set specifies the DNS Record lookup Type for the referrals

Use this method to set require a successful user search for authentication.
CAUTION! This field should be set to NO only if usersearch not required [Both username validation as well as password validation skipped] and (non-LDAP) authentication methods are in use and either bound to a primary list or flagged as secondary.

Use this method to set string to be combined with the default LDAP user search string to form the search value. For example, if the search filter "vpnallowed=true" is combined with the LDAP login name "samaccount" and the user-supplied username is "bob", the result is the LDAP search string ""&(vpnallowed=true)(samaccount=bob)"" (Be sure to enclose the search string in two sets of double quotation marks; both sets are needed.).

Use this method to set type of security used for communications between the Citrix ADC and the LDAP server. For the PLAINTEXT setting, no encryption is required.

Use this method to set iP address assigned to the LDAP server.

Use this method to set lDAP server name as a FQDN. Mutually exclusive with LDAP IP address.

Use this method to set port on which the LDAP server accepts connections.

Use this method to set sSH PublicKey is attribute on AD. This attribute is used to retrieve ssh PublicKey for RBA authentication

Use this method to set lDAP single signon (SSO) attribute.
The Citrix ADC uses the SSO name attribute to query external LDAP servers or Active Directories for an alternate username.

Use this method to set lDAP group sub-attribute name.
Used for group extraction from the LDAP server.

Use this method to set the type of LDAP server.

Use this method to set when to validate LDAP server certs

Use this method to set the new LDAP action to associate with the policy.

Use this method to set the new rule to associate with the policy.

Use this method to set name of the Citrix ADC named rule, or an expression, that the policy uses to perform the authentication.

Use this method to set name of the file for reading authentication schema to be sent for Login Page UI. This file should contain xml definition of elements as per Citrix Forms Authentication Protocol to be able to render login form. If administrator does not want to prompt users for additional credentials but continue with previously obtained credentials, then "noschema" can be given as argument. Please note that this applies only to loginSchemas that are used with user-defined factors, and not the vserver factor.

Use this method to set weight of the current authentication

Use this method to set expression for password extraction during login. This can be any relevant advanced policy expression.

Use this method to set the index at which user entered password should be stored in session.

Use this method to set this option indicates whether current factor credentials are the default SSO (SingleSignOn) credentials.

Use this method to set the index at which user entered username should be stored in session.

Use this method to set expression for username extraction during login. This can be any relevant advanced policy expression.

Use this method to set name of the profile to apply to requests or connections that match this policy.
* NOOP - Do not take any specific action when this policy evaluates to true. This is useful to implicitly go to a different policy set.
* RESET - Reset the client connection by closing it. The client program, such as a browser, will handle this and may inform the user. The client may then resend the request if desired.
* DROP - Drop the request without sending a response to the user.

Use this method to set any comments to preserve information about this policy.

Use this method to set name of messagelog action to use when a request matches this policy.

Use this method to set expression which is evaluated to choose a profile for authentication.

The following requirements apply only to the Citrix ADC CLI:
* If the expression includes one or more spaces, enclose the entire expression in double quotation marks.
* If the expression itself includes double quotation marks, escape the quotations by using the \ character.
* Alternatively, you can use single quotation marks to enclose the rule, in which case you do not have to escape the double quotation marks.

Use this method to set action to perform if the result of policy evaluation is undefined (UNDEF). An UNDEF event indicates an internal error condition. Only the above built-in actions can be used.

Use this method to set this is the default group that is chosen when the authentication succeeds in addition to extracted groups.

Use this method to set domain name of the service principal that represnts Citrix ADC.

Use this method to set user name of the account that is mapped with Citrix ADC principal. This can be given along with domain and password when keytab file is not available. If username is given along with keytab file, then that keytab file will be searched for this user's credentials.

Use this method to set password of the account that is mapped to the Citrix ADC principal.

Use this method to set the path to the keytab file that is used to decrypt kerberos tickets presented to Citrix ADC. If keytab is not available, domain/username/password can be specified in the negotiate action configuration

Use this method to set the path to the site that is enabled for NTLM authentication, including FQDN of the server. This is used when clients fallback to NTLM.

Use this method to set active Directory organizational units (OU) attribute.
NOTE: This attribute is deprecated.
This attribute is deprecated. Please do not configure this

Use this method to set name of the negotiate action to perform if the policy matches.

Use this method to set name of the Citrix ADC named rule, or an expression, that the policy uses to determine whether to attempt to authenticate the user with the AD KCD server.

Use this method to set this is the group that is added to user sessions that match current policy.

Use this method to set multivalued option to specify allowed token verification algorithms.

Use this method to set name of the attribute to be extracted from OAuth Token and to be stored in the attribute1

Use this method to set name of the attribute to be extracted from OAuth Token and to be stored in the attribute10

Use this method to set name of the attribute to be extracted from OAuth Token and to be stored in the attribute11

Use this method to set name of the attribute to be extracted from OAuth Token and to be stored in the attribute12

Use this method to set name of the attribute to be extracted from OAuth Token and to be stored in the attribute13

Use this method to set name of the attribute to be extracted from OAuth Token and to be stored in the attribute14

Use this method to set name of the attribute to be extracted from OAuth Token and to be stored in the attribute15

Use this method to set name of the attribute to be extracted from OAuth Token and to be stored in the attribute16

Use this method to set name of the attribute to be extracted from OAuth Token and to be stored in the attribute2

Use this method to set name of the attribute to be extracted from OAuth Token and to be stored in the attribute3

Use this method to set name of the attribute to be extracted from OAuth Token and to be stored in the attribute4

Use this method to set name of the attribute to be extracted from OAuth Token and to be stored in the attribute5

Use this method to set name of the attribute to be extracted from OAuth Token and to be stored in the attribute6

Use this method to set name of the attribute to be extracted from OAuth Token and to be stored in the attribute7

Use this method to set name of the attribute to be extracted from OAuth Token and to be stored in the attribute8

Use this method to set name of the attribute to be extracted from OAuth Token and to be stored in the attribute9

Use this method to set list of attribute names separated by ',' which needs to be extracted.
Note that preceding and trailing spaces will be removed.
Attribute name can be 127 bytes and total length of this string should not cross 1023 bytes.
These attributes have multi-value support separated by ',' and stored as key-value pair in AAA session

Use this method to set audience for which token sent by Authorization server is applicable. This is typically entity name or url that represents the recipient

Use this method to set if authentication is disabled, password is not sent in the request.

Use this method to set authorization endpoint/url to which unauthenticated user will be redirected. Citrix ADC redirects user to this endpoint by adding query parameters including clientid. If this parameter not specified then as default value we take Token Endpoint/URL value. Please note that Authorization Endpoint or Token Endpoint is mandatory for oauthAction

Use this method to set uRL of the endpoint that contains JWKs (Json Web Key) for JWT (Json Web Token) verification.

Use this method to set path to the file that contains JWKs (Json Web Key) for JWT (Json Web Token) verification.

Use this method to set unique identity of the client/user who is getting authenticated. Authorization server infers client configuration using this ID

Use this method to set secret string established by user and authorization server

Use this method to set this is the default group that is chosen when the authentication succeeds in addition to extracted groups.

Use this method to set grant type support. value can be code or password

Use this method to set uRL of the Graph API service to learn Enterprise Mobility Services (EMS) endpoints.

Use this method to set uRL to which obtained idtoken will be posted to get a decrypted user identity. Encrypted idtoken will be obtained by posting OAuth token to token endpoint. In order to decrypt idtoken, Citrix ADC posts request to the URL configured

Use this method to set uRL to which access token would be posted for validation

Use this method to set the expression that will be evaluated to obtain IntuneDeviceId for compliance check against IntuneNAC device compliance endpoint. The expression is applicable when the OAuthType is INTUNE. The maximum length allowed to be used as IntuneDeviceId for the device compliance check from the computed response after the expression evaluation is 41.
Examples:
add authentication oauthAction -intuneDeviceIdExpression 'AAA.LOGIN.INTUNEURI.AFTER_STR("IntuneDeviceId://")'

Use this method to set identity of the server whose tokens are to be accepted.

Use this method to set well-known configuration endpoint of the Authorization Server. Citrix ADC fetches server details from this endpoint.

Use this method to set option to set/unset miscellaneous feature flags.
Available values function as follows:
* Base64Encode_Authorization_With_Padding - On setting this value, for endpoints (token and introspect), basic authorization header will be base64 encoded with padding.
* EnableJWTRequest - By enabling this field, Authorisation request to IDP will have jwt signed 'request' parameter

Use this method to set type of the OAuth implementation. Default value is generic implementation that is applicable for most deployments.

Use this method to set option to enable/disable PKCE flow during authentication.

Use this method to set interval at which services are monitored for necessary configuration.

Use this method to set name-Value pairs of attributes to be inserted in request parameter. Configuration format is name=value_expr@@@name2=value2_expr@@@.
'@@@' is used as delimiter between Name-Value pairs. name is a literal string whose value is 127 characters and does not contain '=' character.
Value is advanced policy expression terminated by @@@ delimiter. Last value need not contain the delimiter.

Use this method to set resource URL for Oauth configuration.

Use this method to set this option specifies the allowed clock skew in number of minutes that Citrix ADC allows on an incoming token. For example, if skewTime is 10, then token would be valid from (current time - 10) min to (current time + 10) min, ie 20min in all.

Use this method to set tenantID of the application. This is usually specific to providers such as Microsoft and usually refers to the deployment identifier.

Use this method to set uRL to which OAuth token will be posted to verify its authenticity. User obtains this token from Authorization server upon successful authentication. Citrix ADC will validate presented token by posting it to the URL configured

Use this method to set option to select the variant of token authentication method. This method is used while exchanging code with IdP.

Use this method to set uRL to which OAuth access token will be posted to obtain user information.

Use this method to set attribute in the token from which username should be extracted.

Use this method to set name of the profile to apply to requests or connections that match this policy.

Use this method to set any comments to preserve information about this policy.

Use this method to set name of messagelog action to use when a request matches this policy.

Use this method to set expression that the policy uses to determine whether to respond to the specified request.

Use this method to set action to perform if the result of policy evaluation is undefined (UNDEF). An UNDEF event indicates an internal error condition. Only DROP/RESET actions can be used.

Use this method to set name-Value pairs of attributes to be inserted in idtoken. Configuration format is name=value_expr@@@name2=value2_expr@@@.
'@@@' is used as delimiter between Name-Value pairs. name is a literal string whose value is 127 characters and does not contain '=' character.
Value is advanced policy expression terminated by @@@ delimiter. Last value need not contain the delimiter.

Use this method to set audience for which token is being sent by Citrix ADC IdP. This is typically entity name or url that represents the recipient

Use this method to set unique identity of the relying party requesting for authentication.

Use this method to set unique secret string to authorize relying party at authorization server.

Use this method to set name of the entity that is used to obtain configuration for the current authentication request. It is used only in Citrix Cloud.

Use this method to set this group will be part of AAA session's internal group list. This will be helpful to admin in Nfactor flow to decide right AAA configuration for Relaying Party. In authentication policy AAA.USER.IS_MEMBER_OF("") is way to use this feature.

Use this method to set option to encrypt token when Citrix ADC IDP sends one.

Use this method to set the name to be used in requests sent from Citrix ADC to IdP to uniquely identify Citrix ADC.

Use this method to set uRL endpoint on relying party to which the OAuth token is to be sent.

Use this method to set interval at which Relying Party metadata is refreshed.

Use this method to set this is the endpoint at which Citrix ADC IdP can get details about Relying Party (RP) being configured. Metadata response should include endpoints for jwks_uri for RP public key(s).

Use this method to set option to send encrypted password in idtoken.

Use this method to set algorithm to be used to sign OpenID tokens.

Use this method to set name of the service in cloud used to sign the data. This is applicable only if signature if offloaded to cloud.

Use this method to set this option specifies the duration for which the token sent by Citrix ADC IdP is valid. For example, if skewTime is 10, then token would be valid from (current time - 10) min to (current time + 10) min, ie 20min in all.

Use this method to set name of the authentication action to be performed if the policy matches.

Use this method to set any comments to preserve information about this policy.

Use this method to set name of messagelog action to use when a request matches this policy.

Use this method to set name of the Citrix ADC named rule, or an expression, that the policy uses to determine whether to attempt to authenticate the user with the AUTHENTICATION server.

Use this method to set action to perform if the result of policy evaluation is undefined (UNDEF). An UNDEF event indicates an internal error condition. Only the above built-in actions can be used.

Use this method to set login schema associated with authentication policy label. Login schema defines the UI rendering by providing customization option of the fields. If user intervention is not needed for a given factor such as group extraction, a loginSchema whose authentication schema is "noschema" should be used.

Use this method to set max number of concurrent users allowed.

Use this method to set kerberos Realm.

Use this method to set unique identity for communicating with Citrix Push server in cloud.

Use this method to set unique secret for communicating with Citrix Push server in cloud.

Use this method to set customer id/name of the account in cloud that is used to create clientid/secret pair.

Use this method to set interval at which certificates or idtoken is refreshed.

Use this method to set whether the RADIUS server is currently accepting accounting messages.

Use this method to set configure the RADIUS server state to accept or refuse authentication messages.

Use this method to set number of retry by the Citrix ADC before getting response from the RADIUS server.

Use this method to set number of seconds the Citrix ADC waits for a response from the RADIUS server.

Use this method to set send Calling-Station-ID of the client to the RADIUS server. IP Address of the client is sent as its Calling-Station-ID.

Use this method to set this is the default group that is chosen when the authentication succeeds in addition to extracted groups.

Use this method to set remote IP address attribute type in a RADIUS response.

Use this method to set vendor ID of the intranet IP attribute in the RADIUS response.
NOTE: A value of 0 indicates that the attribute is not vendor encoded.

Use this method to set control whether the Message-Authenticator attribute is included in a RADIUS Access-Request packet.

Use this method to set encoding type for passwords in RADIUS packets that the Citrix ADC sends to the RADIUS server.

Use this method to set vendor ID of the attribute, in the RADIUS response, used to extract the user password.

Use this method to set rADIUS attribute type, used for RADIUS group extraction.

Use this method to set rADIUS group separator string
The group separator delimits group names within a RADIUS attribute for RADIUS group extraction.

Use this method to set rADIUS groups prefix string.
This groups prefix precedes the group names within a RADIUS attribute for RADIUS group extraction.

Use this method to set key shared between the RADIUS server and the Citrix ADC.
Required to allow the Citrix ADC to communicate with the RADIUS server.

Use this method to set if configured, this string is sent to the RADIUS server as the Network Access Server ID (NASID).

Use this method to set if enabled, the Citrix ADC IP address (NSIP) is sent to the RADIUS server as the Network Access Server IP (NASIP) address.
The RADIUS protocol defines the meaning and use of the NASIP address.

Use this method to set rADIUS vendor ID attribute, used for RADIUS group extraction.

Use this method to set iP address assigned to the RADIUS server.

Use this method to set rADIUS server name as a FQDN. Mutually exclusive with RADIUS IP address.

Use this method to set port number on which the RADIUS server listens for connections.

Use this method to set if transport mode is TLS, specify the name of LB vserver to associate. The LB vserver needs to be of type TCP and service associated needs to be SSL_TCP

Use this method to set transport mode to RADIUS server.

Use this method to set send Tunnel Endpoint Client IP address to the RADIUS server.

Use this method to set name of the RADIUS action to perform if the policy matches.

Use this method to set name of the Citrix ADC named rule, or an expression, that the policy uses to determine whether to attempt to authenticate the user with the RADIUS server.

Use this method to set uRL of the Artifact Resolution Service on IdP to which Citrix ADC will post artifact to get actual SAML token.

Use this method to set name of the attribute in SAML Assertion whose value needs to be extracted and stored as attribute1. Maximum length of the extracted attribute is 239 bytes.

Use this method to set name of the attribute in SAML Assertion whose value needs to be extracted and stored as attribute10. Maximum length of the extracted attribute is 239 bytes.

Use this method to set name of the attribute in SAML Assertion whose value needs to be extracted and stored as attribute11. Maximum length of the extracted attribute is 239 bytes.

Use this method to set name of the attribute in SAML Assertion whose value needs to be extracted and stored as attribute12. Maximum length of the extracted attribute is 239 bytes.

Use this method to set name of the attribute in SAML Assertion whose value needs to be extracted and stored as attribute13. Maximum length of the extracted attribute is 239 bytes.

Use this method to set name of the attribute in SAML Assertion whose value needs to be extracted and stored as attribute14. Maximum length of the extracted attribute is 239 bytes.

Use this method to set name of the attribute in SAML Assertion whose value needs to be extracted and stored as attribute15. Maximum length of the extracted attribute is 239 bytes.

Use this method to set name of the attribute in SAML Assertion whose value needs to be extracted and stored as attribute16. Maximum length of the extracted attribute is 239 bytes.

Use this method to set name of the attribute in SAML Assertion whose value needs to be extracted and stored as attribute2. Maximum length of the extracted attribute is 239 bytes.

Use this method to set name of the attribute in SAML Assertion whose value needs to be extracted and stored as attribute3. Maximum length of the extracted attribute is 239 bytes.

Use this method to set name of the attribute in SAML Assertion whose value needs to be extracted and stored as attribute4. Maximum length of the extracted attribute is 239 bytes.

Use this method to set name of the attribute in SAML Assertion whose value needs to be extracted and stored as attribute5. Maximum length of the extracted attribute is 239 bytes.

Use this method to set name of the attribute in SAML Assertion whose value needs to be extracted and stored as attribute6. Maximum length of the extracted attribute is 239 bytes.

Use this method to set name of the attribute in SAML Assertion whose value needs to be extracted and stored as attribute7. Maximum length of the extracted attribute is 239 bytes.

Use this method to set name of the attribute in SAML Assertion whose value needs to be extracted and stored as attribute8. Maximum length of the extracted attribute is 239 bytes.

Use this method to set name of the attribute in SAML Assertion whose value needs to be extracted and stored as attribute9. Maximum length of the extracted attribute is 239 bytes.

Use this method to set index/ID of the attribute specification at Identity Provider (IdP). IdP will locate attributes requested by SP using this index and send those attributes in Assertion

Use this method to set list of attribute names separated by ',' which needs to be extracted.
Note that preceeding and trailing spaces will be removed.
Attribute name can be 127 bytes and total length of this string should not cross 2047 bytes.
These attributes have multi-value support separated by ',' and stored as key-value pair in AAA session

Use this method to set audience for which assertion sent by IdP is applicable. This is typically entity name or url that represents ServiceProvider

Use this method to set this element specifies the authentication class types that are requested from IdP (IdentityProvider).
InternetProtocol: This is applicable when a principal is authenticated through the use of a provided IP address.
InternetProtocolPassword: This is applicable when a principal is authenticated through the use of a provided IP address, in addition to a username/password.
Kerberos: This is applicable when the principal has authenticated using a password to a local authentication authority, in order to acquire a Kerberos ticket.
MobileOneFactorUnregistered: This indicates authentication of the mobile device without requiring explicit end-user interaction.
MobileTwoFactorUnregistered: This indicates two-factor based authentication during mobile customer registration process, such as secure device and user PIN.
MobileOneFactorContract: Reflects mobile contract customer registration procedures and a single factor authentication.
MobileTwoFactorContract: Reflects mobile contract customer registration procedures and a two-factor based authentication.
Password: This class is applicable when a principal authenticates using password over unprotected http session.
PasswordProtectedTransport: This class is applicable when a principal authenticates to an authentication authority through the presentation of a password over a protected session.
PreviousSession: This class is applicable when a principal had authenticated to an authentication authority at some point in the past using any authentication context.
X509: This indicates that the principal authenticated by means of a digital signature where the key was validated as part of an X.509 Public Key Infrastructure.
PGP: This indicates that the principal authenticated by means of a digital signature where the key was validated as part of a PGP Public Key Infrastructure.
SPKI: This indicates that the principal authenticated by means of a digital signature where the key was validated via an SPKI Infrastructure.
XMLDSig: This indicates that the principal authenticated by means of a digital signature according to the processing rules specified in the XML Digital Signature specification.
Smartcard: This indicates that the principal has authenticated using smartcard.
SmartcardPKI: This class is applicable when a principal authenticates to an authentication authority through a two-factor authentication mechanism using a smartcard with enclosed private key and a PIN.
SoftwarePKI: This class is applicable when a principal uses an X.509 certificate stored in software to authenticate to the authentication authority.
Telephony: This class is used to indicate that the principal authenticated via the provision of a fixed-line telephone number, transported via a telephony protocol such as ADSL.
NomadTelephony: Indicates that the principal is "roaming" and authenticates via the means of the line number, a user suffix, and a password element.
PersonalTelephony: This class is used to indicate that the principal authenticated via the provision of a fixed-line telephone.
AuthenticatedTelephony: Indicates that the principal authenticated via the means of the line number, a user suffix, and a password element.
SecureRemotePassword: This class is applicable when the authentication was performed by means of Secure Remote Password.
TLSClient: This class indicates that the principal authenticated by means of a client certificate, secured with the SSL/TLS transport.
TimeSyncToken: This is applicable when a principal authenticates through a time synchronization token.
Unspecified: This indicates that the authentication was performed by unspecified means.
Windows: This indicates that Windows integrated authentication is utilized for authentication.

Use this method to set this element specifies the custom authentication class reference to be sent as a part of the Authentication Request that is sent by the SP to SAML IDP. The input string must be the body of the authentication class being requested.
Input format: Alphanumeric string or URL specifying the body of the Request.If more than one string has to be provided, then the same can be done by specifying the classes as a string of comma separated values.
Example input: set authentication samlaction samlact1 -customAuthnCtxClassRef http://www.class1.com/LoA1,http://www.class2.com/LoA2

Use this method to set this is the default group that is chosen when the authentication succeeds in addition to extracted groups.

Use this method to set algorithm to be used to compute/verify digest for SAML transactions

Use this method to set option to choose whether the username that is extracted from SAML assertion can be edited in login page while doing second factor

Use this method to set option that forces authentication at the Identity Provider (IdP) that receives Citrix ADC's request

Use this method to set name of the tag in assertion that contains user groups.

Use this method to set this element specifies the transport mechanism of saml logout messages.

Use this method to set singleLogout URL on IdP to which logoutRequest will be sent on Citrix ADC session cleanup.

Use this method to set interval in minutes for fetching metadata from specified metadata URL

Use this method to set this URL is used for obtaining saml metadata. Note that it fills samlIdPCertName and samlredirectUrl fields so those fields should not be updated when metadataUrl present

Use this method to set this element specifies the preferred binding types for sso and logout for metadata configuration.

Use this method to set boolean expression that will be evaluated to validate the SAML Response.
Examples:
set authentication samlaction -relaystateRule 'AAA.LOGIN.RELAYSTATE.EQ("https://fqdn.com/")'
set authentication samlaction -relaystateRule 'AAA.LOGIN.RELAYSTATE.CONTAINS("https://fqdn.com/")'
set authentication samlaction -relaystateRule 'AAA.LOGIN.RELAYSTATE.CONTAINS_ANY("patset_name")'
set authentication samlAction samlsp -relaystateRule 'AAA.LOGIN.RELAYSTATE.REGEX_MATCH(re#http://.com/#)'.

Use this method to set this element specifies the authentication context requirements of authentication statements returned in the response.

Use this method to set index/ID of the metadata entry corresponding to this configuration.

Use this method to set this element specifies the transport mechanism of saml messages.

Use this method to set name of the SSL certificate used to verify responses from SAML Identity Provider (IdP). Note that if metadateURL is present then this filed should be empty.

Use this method to set the name to be used in requests sent from Citrix ADC to IdP to uniquely identify Citrix ADC.

Use this method to set uRL to which users are redirected for authentication. Note that if metadateURL is present then this filed should be empty

Use this method to set reject unsigned SAML assertions. ON option results in rejection of Assertion that is received without signature. STRICT option ensures that both Response and Assertion are signed.

Use this method to set name of the SSL certificate to sign requests from ServiceProvider (SP) to Identity Provider (IdP).

Use this method to set option to enable second factor after SAML

Use this method to set sAML user ID, as given in the SAML assertion.

Use this method to set option to send thumbprint instead of x509 certificate in SAML request

Use this method to set algorithm to be used to sign/verify SAML transactions

Use this method to set this option specifies the allowed clock skew in number of minutes that Citrix ADC ServiceProvider allows on an incoming assertion. For example, if skewTime is 10, then assertion would be valid from (current time - 10) min to (current time + 10) min, ie 20min in all.

Use this method to set boolean expression that will be evaluated to validate HTTP requests on SAML endpoints.
Examples:
set authentication samlaction -stateChecks 'HTTP.REQ.HOSTNAME.EQ("https://fqdn.com/")'

Use this method to set option to store entire SAML Response through the life of user session.

Use this method to set name of the profile to apply to requests or connections that match this policy.

Use this method to set any comments to preserve information about this policy.

Use this method to set name of messagelog action to use when a request matches this policy.

Use this method to set expression which is evaluated to choose a profile for authentication.

The following requirements apply only to the Citrix ADC CLI:
* If the expression includes one or more spaces, enclose the entire expression in double quotation marks.
* If the expression itself includes double quotation marks, escape the quotations by using the \ character.
* Alternatively, you can use single quotation marks to enclose the rule, in which case you do not have to escape the double quotation marks.

Use this method to set action to perform if the result of policy evaluation is undefined (UNDEF). An UNDEF event indicates an internal error condition. Only the above built-in actions can be used.

Use this method to set expression that will be evaluated to allow Assertion Consumer Service URI coming in the SAML Request

Use this method to set uRL to which the assertion is to be sent.

Use this method to set name of attribute1 that needs to be sent in SAML Assertion

Use this method to set name of attribute10 that needs to be sent in SAML Assertion

Use this method to set name of attribute11 that needs to be sent in SAML Assertion

Use this method to set name of attribute12 that needs to be sent in SAML Assertion

Use this method to set name of attribute13 that needs to be sent in SAML Assertion

Use this method to set name of attribute14 that needs to be sent in SAML Assertion

Use this method to set name of attribute15 that needs to be sent in SAML Assertion

Use this method to set name of attribute16 that needs to be sent in SAML Assertion

Use this method to set name of attribute2 that needs to be sent in SAML Assertion

Use this method to set name of attribute3 that needs to be sent in SAML Assertion

Use this method to set name of attribute4 that needs to be sent in SAML Assertion

Use this method to set name of attribute5 that needs to be sent in SAML Assertion

Use this method to set name of attribute6 that needs to be sent in SAML Assertion

Use this method to set name of attribute7 that needs to be sent in SAML Assertion

Use this method to set name of attribute8 that needs to be sent in SAML Assertion

Use this method to set name of attribute9 that needs to be sent in SAML Assertion

Use this method to set audience for which assertion sent by IdP is applicable. This is typically entity name or url that represents ServiceProvider

Use this method to set this group will be part of AAA session's internal group list. This will be helpful to admin in Nfactor flow to decide right AAA configuration for Relaying Party. In authentication policy AAA.USER.IS_MEMBER_OF("") is way to use this feature.

Use this method to set algorithm to be used to compute/verify digest for SAML transactions

Use this method to set option to encrypt assertion when Citrix ADC IDP sends one.

Use this method to set algorithm to be used to encrypt SAML assertion

Use this method to set key transport algorithm to be used in encryption of SAML assertion

Use this method to set this element specifies the transport mechanism of saml logout messages.

Use this method to set interval in minute for fetching metadata from specified metadata URL

Use this method to set this URL is used for obtaining samlidp metadata

Use this method to set expression that will be evaluated to obtain NameIdentifier to be sent in assertion

Use this method to set format of Name Identifier sent in Assertion.

Use this method to set option to Reject unsigned SAML Requests. ON option denies any authentication requests that arrive without signature.

Use this method to set this element specifies the transport mechanism of saml messages.

Use this method to set name of the certificate used to sign the SAMLResposne that is sent to Relying Party or Service Provider after successful authentication

Use this method to set the name to be used in requests sent from Citrix ADC to IdP to uniquely identify Citrix ADC.

Use this method to set version of the certificate in signature service used to sign the SAMLResposne that is sent to Relying Party or Service Provider after successful authentication

Use this method to set name of the SSL certificate of SAML Relying Party. This certificate is used to verify signature of the incoming AuthnRequest from a Relying Party or Service Provider

Use this method to set version of the certificate in signature service used to verify the signature of the incoming AuthnRequest from a Relying Party or Service Provider

Use this method to set option to send password in assertion.
NOTE: This attribute is deprecated.
Send password feature has been deprecated. Please use custom attributes.

Use this method to set unique identifier of the Service Provider that sends SAML Request. Citrix ADC will ensure that the Issuer of the SAML Request matches this URI. In case of SP initiated sign-in scenarios, this value must be same as samlIssuerName configured in samlAction.

Use this method to set option to sign portions of assertion when Citrix ADC IDP sends one. Based on the user selection, either Assertion or Response or Both or none can be signed

Use this method to set algorithm to be used to sign/verify SAML transactions

Use this method to set name of the service in cloud used to sign the data

Use this method to set this option specifies the number of minutes on either side of current time that the assertion would be valid. For example, if skewTime is 10, then assertion would be valid from (current time - 10) min to (current time + 10) min, ie 20min in all.

Use this method to set endpoint on the ServiceProvider (SP) to which logout messages are to be sent

Use this method to set name of the SAML authentication action to be performed if the policy matches.

Use this method to set name of the Citrix ADC named rule, or an expression, that the policy uses to determine whether to attempt to authenticate the user with the SAML server.

Use this method to set the new Smartaccess action to associate with the policy.

Use this method to set any comments to preserve information about this policy.

Use this method to set the new rule to associate with the policy.

Use this method to set optional comment for the profile.

Use this method to set the tag that is associated with Smartaccess profile.

Use this method to set this is the default group that is chosen when the authentication succeeds in addition to extracted groups.

Use this method to set domain of the server that is used for authentication. If users enter name without domain, this parameter is added to username in the authentication request to server.

Use this method to set uRL of the Storefront server. This is the FQDN of the Storefront server. example: https://storefront.com/. Authentication endpoints are learned dynamically by Gateway.

Use this method to set whether the TACACS+ server is currently accepting accounting messages.

Use this method to set name of the custom attribute to be extracted from server and stored at index '1' (where '1' changes for each attribute)

Use this method to set name of the custom attribute to be extracted from server and stored at index '10' (where '10' changes for each attribute)

Use this method to set name of the custom attribute to be extracted from server and stored at index '11' (where '11' changes for each attribute)

Use this method to set name of the custom attribute to be extracted from server and stored at index '12' (where '12' changes for each attribute)

Use this method to set name of the custom attribute to be extracted from server and stored at index '13' (where '13' changes for each attribute)

Use this method to set name of the custom attribute to be extracted from server and stored at index '14' (where '14' changes for each attribute)

Use this method to set name of the custom attribute to be extracted from server and stored at index '15' (where '15' changes for each attribute)

Use this method to set name of the custom attribute to be extracted from server and stored at index '16' (where '16' changes for each attribute)

Use this method to set name of the custom attribute to be extracted from server and stored at index '2' (where '2' changes for each attribute)

Use this method to set name of the custom attribute to be extracted from server and stored at index '3' (where '3' changes for each attribute)

Use this method to set name of the custom attribute to be extracted from server and stored at index '4' (where '4' changes for each attribute)

Use this method to set name of the custom attribute to be extracted from server and stored at index '5' (where '5' changes for each attribute)

Use this method to set name of the custom attribute to be extracted from server and stored at index '6' (where '6' changes for each attribute)

Use this method to set name of the custom attribute to be extracted from server and stored at index '7' (where '7' changes for each attribute)

Use this method to set name of the custom attribute to be extracted from server and stored at index '8' (where '8' changes for each attribute)

Use this method to set name of the custom attribute to be extracted from server and stored at index '9' (where '9' changes for each attribute)

Use this method to set list of attribute names separated by ',' which needs to be fetched from tacacs server.
Note that preceeding and trailing spaces will be removed.
Attribute name can be 127 bytes and total length of this string should not cross 2047 bytes.
These attributes have multi-value support separated by ',' and stored as key-value pair in AAA session

Use this method to set the state of the TACACS+ server that will receive accounting messages.

Use this method to set use streaming authorization on the TACACS+ server.

Use this method to set number of seconds the Citrix ADC waits for a response from the TACACS+ server.

Use this method to set this is the default group that is chosen when the authentication succeeds in addition to extracted groups.

Use this method to set tACACS+ group attribute name.
Used for group extraction on the TACACS+ server.

Use this method to set iP address assigned to the TACACS+ server.

Use this method to set port number on which the TACACS+ server listens for connections.

Use this method to set key shared between the TACACS+ server and the Citrix ADC.
Required for allowing the Citrix ADC to communicate with the TACACS+ server.

Use this method to set name of the TACACS+ action to perform if the policy matches.

Use this method to set name of the Citrix ADC named rule, or an expression, that the policy uses to determine whether to attempt to authenticate the user with the TACACS+ server.

Use this method to set log AppFlow flow information.

Use this method to set require users to be authenticated before sending traffic through this virtual server.

Use this method to set the domain of the authentication cookie set by Authentication vserver
NOTE: This attribute is deprecated.
Authentication Domain Parameter has been deprecated. Please use Authentication Profile for setting domain wide cookies.

Use this method to set name of the certificate key that was bound to the corresponding SSL virtual server as the Certificate Authority for the device certificate

Use this method to set any comments associated with this virtual server.

Use this method to set number of minutes an account will be locked if user exceeds maximum permissible attempts

Use this method to set iP address of the authentication virtual server, if a single IP address is assigned to the virtual server.

Use this method to set maximum Number of login Attempts

Use this method to set sameSite attribute value for Cookies generated in AAATM context. This attribute value will be appended only for the cookies which are specified in the builtin patset ns_cookies_samesite

Use this method to set expression that would be evaluated to extract attribute1 from the webauth response

Use this method to set expression that would be evaluated to extract attribute10 from the webauth response

Use this method to set expression that would be evaluated to extract attribute11 from the webauth response

Use this method to set expression that would be evaluated to extract attribute12 from the webauth response

Use this method to set expression that would be evaluated to extract attribute13 from the webauth response

Use this method to set expression that would be evaluated to extract attribute14 from the webauth response

Use this method to set expression that would be evaluated to extract attribute15 from the webauth response

Use this method to set expression that would be evaluated to extract attribute16 from the webauth response

Use this method to set expression that would be evaluated to extract attribute2 from the webauth response

Use this method to set expression that would be evaluated to extract attribute3 from the webauth response

Use this method to set expression that would be evaluated to extract attribute4 from the webauth response

Use this method to set expression that would be evaluated to extract attribute5 from the webauth response

Use this method to set expression that would be evaluated to extract attribute6 from the webauth response

Use this method to set expression that would be evaluated to extract attribute7 from the webauth response

Use this method to set expression that would be evaluated to extract attribute8 from the webauth response

Use this method to set expression that would be evaluated to extract attribute9 from the webauth response

Use this method to set this is the default group that is chosen when the authentication succeeds in addition to extracted groups.

Use this method to set exact HTTP request, in the form of an expression, which the Citrix ADC sends to the authentication server.
The Citrix ADC does not check the validity of this request. One must manually validate the request.

Use this method to set type of scheme for the web server.

Use this method to set iP address of the web server to be used for authentication.

Use this method to set port on which the web server accepts connections.

Use this method to set expression, that checks to see if authentication is successful.

Use this method to set the new WebAuth action to associate with the policy.

Use this method to set the new rule to associate with the policy.

Use this method to unbind policy from authentication policylabel.

Use this method to unbind priority from authentication policylabel.

Use this method to unbind policy from authentication vserver.

Use this method to unbind portaltheme from authentication vserver.

Remove authentication authnProfile authenticationdomain setting.

Remove authentication authnProfile authenticationlevel setting.

Remove authentication azureKeyVault authentication setting.

Remove authentication azureKeyVault defaultauthenticationgroup setting.

Remove authentication azureKeyVault pushservice setting.

Remove authentication azureKeyVault refreshinterval setting.

Remove authentication azureKeyVault signaturealg setting.

Remove authentication captchaAction defaultauthenticationgroup setting.

Remove authentication captchaAction scorethreshold setting.

Remove authentication captchaAction serverurl setting.

Remove authentication certAction defaultauthenticationgroup setting.

Remove authentication certAction groupnamefield setting.

Remove authentication certAction twofactor setting.

Remove authentication certAction usernamefield setting.

Remove authentication certPolicy reqaction setting.

Remove authentication certPolicy rule setting.

Remove authentication citrixAuthAction authentication setting.

Remove authentication citrixAuthAction authenticationtype setting.

Remove authentication dfaAction clientid setting.

Remove authentication dfaAction defaultauthenticationgroup setting.

Remove authentication dfaAction serverurl setting.

Remove authentication emailAction content setting.

Remove authentication emailAction defaultauthenticationgroup setting.

Remove authentication emailAction emailaddress setting.

Remove authentication emailAction timeout setting.

Remove authentication emailAction type setting.

Remove authentication epaAction defaultepagroup setting.

Remove authentication epaAction deletefiles setting.

Remove authentication epaAction killprocess setting.

Remove authentication epaAction quarantinegroup setting.

Remove authentication ldapAction alternateemailattr setting.

Remove authentication ldapAction attribute1 setting.

Remove authentication ldapAction attribute10 setting.

Remove authentication ldapAction attribute11 setting.

Remove authentication ldapAction attribute12 setting.

Remove authentication ldapAction attribute13 setting.

Remove authentication ldapAction attribute14 setting.

Remove authentication ldapAction attribute15 setting.

Remove authentication ldapAction attribute16 setting.

Remove authentication ldapAction attribute2 setting.

Remove authentication ldapAction attribute3 setting.

Remove authentication ldapAction attribute4 setting.

Remove authentication ldapAction attribute5 setting.

Remove authentication ldapAction attribute6 setting.

Remove authentication ldapAction attribute7 setting.

Remove authentication ldapAction attribute8 setting.

Remove authentication ldapAction attribute9 setting.

Remove authentication ldapAction attributes setting.

Remove authentication ldapAction authentication setting.

Remove authentication ldapAction authtimeout setting.

Remove authentication ldapAction cloudattributes setting.

Remove authentication ldapAction defaultauthenticationgroup setting.

Remove authentication ldapAction email setting.

Remove authentication ldapAction followreferrals setting.

Remove authentication ldapAction groupattr setting.

Remove authentication ldapAction groupnameidentifier setting.

Remove authentication ldapAction groupsearchattribute setting.

Remove authentication ldapAction groupsearchfilter setting.

Remove authentication ldapAction groupsearchsubattribute setting.

Remove authentication ldapAction kbattribute setting.

Remove authentication ldapAction ldapbase setting.

Remove authentication ldapAction ldapbinddn setting.

Remove authentication ldapAction ldapbinddnpassword setting.

Remove authentication ldapAction ldaphost setting.

Remove authentication ldapAction ldaplogin setting.

Remove authentication ldapAction maxldapreferrals setting.

Remove authentication ldapAction maxnestinglevel setting.

Remove authentication ldapAction mssrvrecordlocation setting.

Remove authentication ldapAction nestedgroupextraction setting.

Remove authentication ldapAction otpsecret setting.

Remove authentication ldapAction passwdchange setting.