Bruce McDonald Posted July 8, 2019 Share Posted July 8, 2019 Hello, I have just gone live with an IAM platform Okta and integrated Citrix which uses SAML SSO. Everything works as expected except, when a user logs into the Okta portal, clicks Citrix which SAML SSO's to storefront 3.6, this opens the connection in a new tab and then when the user either closes the tab or logs out of storefront they cannot access Citrix through Okta again unless they completely shut their browser down and re-sign into Okta. The logout URL that is part of the SAML policy is not logging the session off properly. I logged a ticket with Okta and they said it was a Citrix Netscaler issue. Has anyone seen this issue before? All I need is a logout URL that actually logs out... The logout URL I set on the netscaler is off Okta's Citrix/SAML setup guide. Its not a massive problem but now its live I am getting a number of requests from people saying they cannot log back in, they have to fully close their browser down and open it to get back in and its annoying. This is the logout URL https://mycompanyname.okta.com Thank you. Link to comment Share on other sites More sharing options...
Jim Grimm1709160134 Posted July 8, 2019 Share Posted July 8, 2019 Take a look at this discussion: https://support.okta.com/help/s/question/0D50Z00008G7V7WSAV/saml-through-netscaler-to-citrix-storefront-anyone Lots of good information (and follow-up from the OP on that thread), but the discussion seems to lead to Federated Authentication Services being required. https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-15-ltsr/secure/federated-authentication-service.html Link to comment Share on other sites More sharing options...
Bruce McDonald Posted July 8, 2019 Author Share Posted July 8, 2019 Thanks for the link Jim. FAS is setup and working. Everything is working. I tested this quite extensively on a test Citrix environment before going live. Its this darn logout URL which, I might add, logs the user out but then the only way to log back in is to completely close the browser down, open it, and log back into okta/citrix. Link to comment Share on other sites More sharing options...
Sam Jacobs Posted July 8, 2019 Share Posted July 8, 2019 Have you tried the following URL? https://<NetScaler FQDN>/cgi/logout ? Link to comment Share on other sites More sharing options...
Jim Grimm1709160134 Posted July 8, 2019 Share Posted July 8, 2019 The following blog has a walkthrough example that includes the following for the logout URL: https://blogs.serioustek.net/post/2016/11/10/netscaler-saml-okta Quote https://domain.oktapreview.com/login/signout Link to comment Share on other sites More sharing options...
Bruce McDonald Posted July 8, 2019 Author Share Posted July 8, 2019 22 minutes ago, Sam Jacobs said: Have you tried the following URL? https://<NetScaler FQDN>/cgi/logout ? Thanks for your suggestion but no dice I'm afraid. I get the same issue, I have to close the browser down completely to log back on. Link to comment Share on other sites More sharing options...
Sam Jacobs Posted July 8, 2019 Share Posted July 8, 2019 I believe this might be what you're looking for: Please close your browser to protect your account 1 Link to comment Share on other sites More sharing options...
Bruce McDonald Posted July 8, 2019 Author Share Posted July 8, 2019 29 minutes ago, Sam Jacobs said: I believe this might be what you're looking for: Please close your browser to protect your account thanks again but same problem. I added the line into the script.js file, restarted Citrix storefront server (on test environment of course) and same issue, same error about the cannot log on using smart card Link to comment Share on other sites More sharing options...
Bruce McDonald Posted July 8, 2019 Author Share Posted July 8, 2019 48 minutes ago, Jim Grimm1709160134 said: The following blog has a walkthrough example that includes the following for the logout URL: https://blogs.serioustek.net/post/2016/11/10/netscaler-saml-okta ive tried the different logout URL and same error, same issue occuring. https://mycomanyname.okt.com/cgi/signout and same issue. In the comments under this post it mentions the signout URL is this format https://fqdn.authvserver.com/cgi/tmlogout I am trying to workout how to get that into the netscaler fqdn is the netscaler? authvserver is this my netscaler gateway? Link to comment Share on other sites More sharing options...
Bruce McDonald Posted July 9, 2019 Author Share Posted July 9, 2019 20 hours ago, Sam Jacobs said: I believe this might be what you're looking for: Please close your browser to protect your account Sam, you are on the money with this reply however it doesn't work on Storefront 3.6, it only works on 3.8 and newer, Thanks for you help. http://blog.sachathomet.ch/2017/01/03/storefront-allowreloginwithoutbrowserclose/ Link to comment Share on other sites More sharing options...
Chris Fitz-Gerald Posted March 20, 2020 Share Posted March 20, 2020 Old thread, but I found this which might help you: https://support.citrix.com/article/CTX230620 It says this behavior is fixed in Storefront 3.15 and later. I haven't tried yet, but will soon. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now