Jump to content
Welcome to our new Citrix community!

ADC AAA login with SAML and then SSON with SAML to backend

Onno Kuipers

Recommended Posts

I want to allow access to an intranet from the internet via Citrix ADC (Netscaler). The back end intranet server uses SAML to login. I also want the ADC to use SAML login.


I already created a LBVS with a AAA-VS which is using SAML as first factor (and ldap as second factor for group extraction). First login to ADC is working fine; users are redirected to the adfs-proxy and after succesfull login they are redirected back to the ADC LBVS. But then...... I want a SAML SSON to the backend server (which is only accessable to users via the ADC) so users don't have to login again. At this moment, after a succesfull login to ADC, the intranet is displayed with error "SAML Single Sign On failed."


I am not even sure if this is possible! But I now there is something in the ADC with the name "SAML SSO Profiles" under Traffic Policies, which suggests maybe this is possible. I cannot find enough documentation about this.



Link to comment
Share on other sites

  • 2 months later...

I think the main problem is your adfs-proxy (are you using ms wap?). You have to setup your ADC as a SAML IDP for your Intranet Application. So in the traffic flow there should only be your ADC and your intranet application, no adfs / adfs-proxy or sth else.


You can compare the setup with the following article from Jason https://www.jasonsamuel.com/2015/10/05/how-to-setup-citrix-sharefile-single-sign-on-using-saml-idp-on-netscaler/ just replace the ShareFile Application with your Intranet Application, it's a good example for SAML SSO.



Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...