Jump to content
Welcome to our new Citrix community!

Netscaler as SAML IdP Dynamic Consumer Assertion URL


Recommended Posts

Hi.

I am sure that this is possible, but struggling to get the config right. 

I have Netscaler set up as IdP for a SaaS application. This works as expected. 

User goes to URL, https://app.domain.com/

Gets redirected to netscaler for auth. https://auth.nsdomain.com/logon

User enters credentials and is then redirected back to the Consumer Assertion URL that I have entered in the IdP profile https://app.domain.com/login.php?module=login

This brings the user to the default home page.

 

There are however several modules in the application. So now, if the user receives a link to a specific module or even a record within the module, the login redirects to the Consumer Assertion URL post login. 

So now it looks like this

User goes to URL, https://app.domain.com/login.php?module=login&login_module=LavaLamps&Record=BlueLamp

Gets redirected to netscaler for auth. https://auth.nsdomain.com/logon

User enters credentials and is then redirected back to the Consumer Assertion URL that I have entered in the IdP profile https://app.domain.com/login.php?module=login (back to the normal home page of the app)

 

How do I get it to change the consumer assertion URL based on the request? So that I can tac on the additional information of login_module and Record in this example.

https://app.domain.com/login.php?module=login&login_module=LavaLamps&Record=BlueLamp

 

The additional information is provided within the SAML request header. 

 

Thanks

 

 

 

Link to comment
Share on other sites

What you are looking to do is possible.  Check out the following discussion(s), both have solutions that vary but both appear to achieve the desired outcome.

 

https://discussions.citrix.com/topic/396932-saml-idp-initiated-sso-with-aaa-server/

https://discussions.citrix.com/topic/374818-target-url-after-successful-login-to-saml-authentication-provider/

 

Regarding the RelayState value referenced in the second discussion referenced above, you can search the following documentation for 'RelayState' and you can read more information about the specifics:  http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html

 

I hope this helps...

Link to comment
Share on other sites

22 minutes ago, Siddhartha Sarmah said:

Leave the ACS url blank on IDP profile

Could you elaborate? If the ACS is blank, what does the Netscaler use to generate where the response assertion is sent?

 

I'm also interested in how this can be accomplished. I searched the above doc for using RelayState and I'm not quite sure how it fits in the picture.

Link to comment
Share on other sites

Here is the official Citrix Support article that talks about leaving the ACS URL blank:  

 

https://support.citrix.com/article/CTX230623

 

Also, regarding the RelayState value, this article talks about it near the top in the paragraph talking about HTTP POST-binding. 

 

https://docs.citrix.com/en-us/netscaler-gateway/12/authentication-authorization/configure-saml.html

  • Like 2
Link to comment
Share on other sites

3 hours ago, Siddhartha Sarmah said:

Leave the ACS url blank on IDP profile

 

In a perfect world, that would be the answer. Except that the SAML request is not coming through as I would like it to. The app has a fixed ACS in the request. Same for every page...

I will see if I can get the developers to send the correct ACS in the request. The information in the request I am receiving is malformed and does not work.

 

Great answer though. If I can get the devs to sort their end out, you will have saved me hours of trying to work out how to rewrite the response. Let's hope they can.

 

Link to comment
Share on other sites

14 hours ago, Nikolai Schlabitz1709152720 said:

So I managed to get the developers to send the correct ACS in the request. Now the next problem is that the reply adds a bunch of spurious characters to the end of the reply URL that ends with %EF%BF%BD%EF%BF%BDd_last_set=131985530930123152

I'm sure the number would represent a date.

Any ideas?

 

 

Those characters are url encoded, can you specify the exact flow and explain where things are breaking ?

 

1.  SP sends what  in the ACS url field in SAML request

2. NS (post auth) redirecting the user using either a 302 or a 200OK with form action to which URL ?

3. And client at the end of all this is going back to the SP with what url ?

Link to comment
Share on other sites

On 7/17/2019 at 6:05 AM, Siddhartha Sarmah said:

 

Those characters are url encoded, can you specify the exact flow and explain where things are breaking ?

 

1.  SP sends what  in the ACS url field in SAML request

2. NS (post auth) redirecting the user using either a 302 or a 200OK with form action to which URL ?

3. And client at the end of all this is going back to the SP with what url ?

 

1. SP sends this in the ACS field in the SAML request  AssertionConsumerServiceURL="https://my.domain.com/sub/index.php?module=Users&action=Authenticate&login_module=r_Register&login_action=Index"

2. NS reponds with 200 and the url sent is correct as above "https://my.domain.com/sub/index.php?module=Users&action=Authenticate&login_module=r_Register&login_action=Index"

3. The client browser then redirects to this https://my.domain.com/sub/index.php?module=Users&action=Authenticate&login_module=r_Register&login_action=Index%EF%BF%BD%EF%BF%BDt_set=131985530930123152

 

The destination server then responds with Bad data passed.

Link to comment
Share on other sites

@Nikolai Schlabitz1709152720 I found a known issue where NS while redirecting can append some unwanted characters causing this issue, fixed in 12.1.50.x and above. if you are on a lower build, try upgrading to 12.1 latest or alternatively you can open a support case and provide us with a fiddler that should make things very clear. 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...