Jump to content

SAML Logout Issue with NetScaler Gateway and Azure


Recommended Posts

Hi All,

 

I've setup a NetScaler Gateway Virtual Server to access XenApp 7.18 environment and I've configured SAML auth with Azure as the IDP. This is all working for logging on and accessing applications, however when I trigger the logout in Storefront, although the SAML logout successfully goes to Azure and logs me out of the IDP, if I immediately browse back to my gateway URL I am still logged in and able to launch applications which is obviously a big security risk.

 

Anyone encountered this before and have a solution so that when a logoff is initiated it completely kills the session on the NetScaler as well as logs out of Azure?

 

Thanks,

Simon

Link to comment
Share on other sites

If you're setting the logout field in SAML, then you'll want to use the one that the Netscaler will detect to invalidate the AAA session. It's poorly documented, but this will be https://your_aaa_hostname/cgi/tmlogout (see this and this doc which mention it).

 

For third party applications that support SAML (and integrate it correctly), someone logging out on the third party application will initiate the third party application invalidating the session for its own application, and then redirecting the user's browser to the SAML logout endpoint above, which will invalidate the AAA session.

Link to comment
Share on other sites

Thanks for the suggestions and links. I don't think this URL will work with my setup as whenever I try to go to those links it just redirects me straight to the logon URL for sign in and as the AAA address doesn't match the application reply address it gives me an error.

 

Seems from the links you gave that URL would be more if I was accessing an application via a LBVS where with my setup we are accessing a NetScaler Gateway Virtual Server.

Link to comment
Share on other sites

46 minutes ago, Simon Hearnshaw1709158117 said:

Thanks for the suggestions and links. I don't think this URL will work with my setup as whenever I try to go to those links it just redirects me straight to the logon URL for sign in and as the AAA address doesn't match the application reply address it gives me an error.

 

Seems from the links you gave that URL would be more if I was accessing an application via a LBVS where with my setup we are accessing a NetScaler Gateway Virtual Server.

 

Try /cgi/logout. The 'tmlogout' is for AAA vServers.

Link to comment
Share on other sites

We had a desire to customize our logout page quite a bit but found trouble doing so with the out-of-the-box options. What we ended up doing was setting our AAA server behind an LBVS (I believe you can do the same with a Gateway vserver) and set up a custom logout URL (/logout). For the request for that logout URL, we switched traffic to an LBVS that served a page via a responder policy, and all other traffic is switched to the AAA server.

 

On the response page of the custom logout page, we nested a hidden element like so:

<img src="/cgi/tmlogout" style="display:none;" />

This causes the browser to load the logout page and then fire another request to the server, which the AAA server handles to invalidate the session.

Link to comment
Share on other sites

  • 1 month later...
  • 1 year later...

Came across this thread when I had the same issue with a customer. Here's what I did to resolve it case anyone else has the same query.

 

Assuming your store is called called SAML modify script.js in C:\inetpub\wwwroot\Citrix\SAMLWeb\custom on the StoreFront servers adding the following code -

 

CTXS.Extensions.beforeWebLogoffIca = function() {
    $('#logoff-screen').hide();
    return "none";
};
 
CTXS.Extensions.beforeWebLogoffGateway = function() {
    window.setTimeout(function() {
        window.location.href = "/cgi/logout";
    }, 1);
    return false;
}

 

What this does is call the NetScaler Log Off page which in turn calls the SAML Logoff path. Users are then shown the Azure AD log off page rather then the StoreFront log off page. Users will be challenged for credentials on next logon.

Link to comment
Share on other sites

  • 2 months later...
On 2/26/2020 at 1:27 PM, Paul Cross said:

Came across this thread when I had the same issue with a customer. Here's what I did to resolve it case anyone else has the same query.

 

Assuming your store is called called SAML modify script.js in C:\inetpub\wwwroot\Citrix\SAMLWeb\custom on the StoreFront servers adding the following code -

 

CTXS.Extensions.beforeWebLogoffIca = function() {
    $('#logoff-screen').hide();
    return "none";
};
 
CTXS.Extensions.beforeWebLogoffGateway = function() {
    window.setTimeout(function() {
        window.location.href = "/cgi/logout";
    }, 1);
    return false;
}

 

What this does is call the NetScaler Log Off page which in turn calls the SAML Logoff path. Users are then shown the Azure AD log off page rather then the StoreFront log off page. Users will be challenged for credentials on next logon.

 

This solution has stopped working since updating to 1912, anyone else experienced the same issue?  Is there another work around?

Link to comment
Share on other sites

  • 1 month later...

This works on my environment

On the Netscaler set the logout URL to https://login.microsoftonline.com/<tenant-id>/saml2

In the enterprise application -> Single Sign on -> Basic SAML settings, set the logout URL to https://<adc-URL>/cgi/logout.

 

Now, when you click on the log out button, it logs out of Azure AD first and then redirects you back to the ADC and logs that session off too. 

Link to comment
Share on other sites

  • 1 year later...
On 6/18/2020 at 7:25 AM, Nikolai Schlabitz1709152720 said:

This works on my environment

On the Netscaler set the logout URL to https://login.microsoftonline.com/<tenant-id>/saml2

In the enterprise application -> Single Sign on -> Basic SAML settings, set the logout URL to https://<adc-URL>/cgi/logout.

 

Now, when you click on the log out button, it logs out of Azure AD first and then redirects you back to the ADC and logs that session off too. 

Hello all

I tried this one both https://<adc-URL>/cgi/logout anf https://<adc-URL>/cgi/tmlogout ( I am using AAA server with N-factor)  - still does not work. I cannot go "log out" page of ADC

Any updates on this?

https://support.citrix.com/article/CTX239178 is useless as  I run OS build newer than in article

 

Thank you

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...