Jump to content
  • 0

Passing SAML Cookie to Chrome Workspace App on chromebook


Marvin Sevenhoven

Question

Hi there,

 

I've been following the following guides to try and get the SAML cookie to work within the Workspace App on a chromebook ( the web-store version)

 

https://docs.citrix.com/en-us/citrix-workspace-app-for-chrome/configure.html#configuring-single-sign-on-sson-with-google-and-citrix-using-saml-authentication

https://chrome.google.com/webstore/detail/saml-sso-for-chrome-apps/aoggjnmghgmcllfenalipjhmooomfdce

 

However I'm starting to run into issues when launching the citrix workspace app. It works till a certain point. ill describe the process t

 

  1. The chromebook is started
  2. Chromebook tells me its managed by my company, and offer me to log in
  3. i get redirected to the login screen of my SAML idp  ( helloid)
  4. i log in, get redirected back and logged in. 
  5. i get presented with my desktop screen, with the citrix app pinned to my taskbar.
  6. I open the citrix receiver app. the configuration tells it to directly connect to the storefront since it can reach the internal beacon
  7. storefront redirects me to my SAML IDP.
    --- so far so good ---
  8. SAML IDP supplies me a login screen  

 

step 8 is not supposed to happen. When the app redirects me to the SAML provider, it should have access to my cookie and thus I should be logged in, and redirected to the storefront with a SAML envelope. In the guide it is explained that you should use the "SAML SSO for chrome apps"  extension to make sure the citrix workspace app has access to the cookies for the SAML provider. However, this doesn't seem to work.

 

If after step 5, i open a chrome browser instead and visit the storefront endpoint manually, everything works as intended. The storefront redirects me to my SAML idp, it has access to the cookie, will log me in automatically and redirect me back.

 

Unfortunately the citrix Workspace app doesn't provide logging about cookies, so all i see is the storefront redirecting to the website of the saml IDP which in turn redirects me to it's login form.

 

Is there any extra steps i can take towards debugging this? or can someone verify me that this guide still up-to-date and working?

Link to comment

6 answers to this question

Recommended Posts

Another progress report on the debugging...

I have been using the chrome debugger on the SAML SSO extension to see if it works properly. It works as expected and does supply the correct cookies in the calback towards de Citrix Workspace app. So it looks like the issue stated above isn't relevant.

 

Is there any way i can inspect the web-requests sent by the app to check if the correct cookies are supplied towards the SAML idP?

Link to comment

I found the cause i think.

 

image.thumb.png.dbb92854ec95668b98c9bc5aed22bd50.png

 

Since chrome 72, it is no longer allowed to set cookies in the "onHeadersReceived" event of a webview  request in chrome apps. This technique is used by the "Citrix Workspace"  app to set the cookies received from the "SAML SSO for chrome apps"  extension and to supply them to the webview. However, since this no longer works, the cookies don't actually get supplied. Causing the method explained in the documentation to no longer work since chrome version 72.

 

Ultimately, it comes down to it that Citrix Workspace app is unable to set the cookies in the webview.

Link to comment

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...