If you are doing Azure MFA Auth the following code can be used for setting up the AAA server and auth profiles.
add authentication samlAction Azure_SAML_Auth -samlIdPCertName [Azure Provided Certificate] -samlSigningCertName [Client wildcard cert] -samlRedirectUrl "[Azure Provided Redirect URL]" -samlUserField userprincipalName -samlIssuerName [Citrix Gateway URL] -logoutURL "[Azure Provided Redirect URL]" -logoutBinding REDIRECT
add authentication Policy Citrix_Gateway_SAML -rule true -action Azure_SAML_Auth
add authentication vserver CitrixGateway_AAA_SAML SSL 0.0.0.0
bind authentication vserver CitrixGateway_AAA_SAML -policy Citrix_Gateway_SAML -priority 100 -gotoPriorityExpression NEXT
bind ssl vserver CitrixGateway_AAA_SAML -certkeyName [Client wildcard cert]
add authentication authnProfile CitrixGateway_AuthProfile -authnVsName CitrixGateway_AAA_SAML
If you are using SAML or OAuth, the response returned is the UPN. With the UPN you omit the NetBios Domain name. Also federated accounts such as these will need a dedicated Store that is setup for federation. These session actions will set those settings.
add vpn sessionAction Federated_WebReceiver_Profile -defaultAuthorizationAction ALLOW -SSO ON -icaProxy ON -wihome "https://[Storefront Load Balancer IP]/Citrix/[Federated Storename]Web/"
add vpn sessionAction Federated_Native_Profile -defaultAuthorizationAction ALLOW -SSO ON -icaProxy ON -wihome "https://[Storefront Load Balancer IP]/Citrix/[Federated Storename]/" -clientlessVpnMode OFF