Jump to content
Welcome to our new Citrix community!

Display helpful user error if no SAML policy is found

Ross Bender

Recommended Posts

We have SAML IdP policies set up for SSO to various applications, and some of the policies are only available for a subset of our users. In this scenario, when a user without access tries to access the application, they get the unhelpful error:

Malformed Assertion sent to Netscaler; Please contact your administrator

I would like to be able to customize a default page that users will see in this event, where they have tried a SAML login but none of the policies are invoked.


Is anyone aware of how this can be done on the AAA server?

Link to comment
Share on other sites

Hi Ross,


what I do for displaying another error message as the default AAA "Error: Not a privileged User" is to create a responder HTML Page. I think this could work for your scenario,too, because you are also using AAA.


Try the following (you have to do this in GUI, can't be done via CLI):


Go to AppExpert –> Responder –> HTML Page Imports

Create a new (example with Name "html_owa") with your preferred error message.


Create a responder Action and bind it to your LB vServer / CS / AAA with a filtering of your Group



#OWA Deny Responder
add responder action resp_act_owa_deny respondwithhtmlpage html_owa -responseStatusCode 200
add responder policy resp_pol_owa_deny "HTTP.REQ.USER.IS_MEMBER_OF(\"External-OWA\").NOT" resp_act_owa_deny
bind lb vserver lb_vsrv_ex2016_owa -policyName resp_pol_owa_deny -priority 100 -gotoPriorityExpression END -type REQUEST


Hope this helps




  • Like 2
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...