Configuring LDAP Group Extraction
If you are using two-factor authentication, groups extracted from both the primary and secondary authentication sources are concatenated. Authorization policies can be applied to the group that is extracted from the primary or secondary authentication server.
The group names obtained from the LDAP server are compared with the group names created locally on Citrix Gateway. If the two group names match, the properties of the local group apply to the group obtained from the LDAP servers.
If users belong to more than one LDAP group, Citrix Gateway extracts user information from all the groups to which users belong. If a user is a member of two groups on Citrix Gateway and each group has a bound session policy, the user inherits the session policies from both groups. To make sure that users receive the correct session policy, set the priority for the session policy.
For more information about LDAP group membership attributes that will and will not work with Citrix Gateway authorization, see the following: