Jump to content
Updated Privacy Statement
  • 1

OKTA Netscaler SAML SSO Storefront Errors

Tom Swift


We've followed the set up directions to configure out Netscaler to work with SAML auth using OKTA as the IDP.  Netsclaer 12.0, XA/XD 7.15 LTSR CU2 and Storefront 3.12.  We've had several calls with OKTA support but haven't been able to get an engineer verses in Citrix to get it working.  We got this working two years ago but seems like things have changes and now we can't.


Here's the flow:

1.  User enters https://citirx.mycorp.com

2.  User is redirected to mycorp.okta.com and presented with logon credentials

3.  User enters credentials and is redirected to Storefront but get's an error "Cannot complete your request."

4.  Triggers Event 7 & 10.  If we click the Cannot complete your request button over and over again it will add more error 7 and error 10's the the Application event logs


Error 7:

CitrixAGBasic single sign-on failed because the credentials failed verification with reason: FailedPasswordComplexity. The credentials supplied were; user: administrator domain: mycorp.com


Error 10: 

A CitrixAGBasic Login request has failed. Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticatorException, Citrix.DeliveryServicesClients.Authentication, Version=, Culture=neutral, PublicKeyToken=null Authenticate encountered an exception. at Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticator.Authenticate(HttpRequestBase clientRequest, Boolean& passwordSupplied) at Citrix.Web.AuthControllers.Controllers.GatewayAuthController.Login() System.Net.WebException, System, Version=, Culture=neutral, PublicKeyToken=b77a5c561934e089 The remote server returned an error: (403) Forbidden. Url: ExceptionStatus: ProtocolError ResponseStatus: Forbidden at System.Net.HttpWebRequest.GetResponse() at Citrix.DeliveryServicesClients.Utilities.HttpHelpers.ReceiveResponse(HttpWebRequest req) at Citrix.DeliveryServicesClients.Authentication.TokenIssuingClient.RequestToken(String url, RequestToken requestToken, String primaryToken, String languages, CookieContainer cookieContainer, IEnumerable`1 acceptedResponseTypes, IDictionary`2 additionalHeaders) at Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticator.Authenticate(HttpRequestBase clientRequest, Boolean& passwordSupplied) 


As far as Error 7 is concerned the password is complex, with 11 characters, uppercase, lowercase, numbers and symbols.  Of course if we remove SAML from the Netscaler Gateway authentication method for the XenApp access VIP and go with LDAP it works flawlessly.



They will not help us without having FAS running.


OKTA has Youtube video's saying it'll work withouht FAS.


Two years ago when we did this I don't think we use ADFS or FAS (didn't exist in Citrix Xendesktop 7.9)


Any input would be greatly appreciated.





Link to comment

Recommended Posts

  • 0

Here we are in 2023, and this thread helped me too.  Only bit I ended up needing was a tick in the box in Storefront config for 'Fully delegate credential validation to the Netscaler' - but that was the little bit of magic required.   Thanks Tom!


Onwards to the FAS part now...

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...