Jump to content
Welcome to our new Citrix community!

SAML Authentication with Microsoft Azure Enterprise App Error - SAML Assertion Verification failed; please contact your administrator


Recommended Posts

We have setup SSO between out Citrix ADC and Azure AD Citrix NetScaler Enterprise App.

Authentication works fine, being directed to Azure. Once authenticated instead of redirecting back to the NetScaler the error: SAML Authentication with Microsoft Azure Enterprise App Error - SAML Assertion Verification failed; please contact your administrator appears straight away in a browser.

 

I am looking to see if the config is correct on both the Azure and Citrix side?

As the NetScaler license is Standard. We cannot use Advanced AAA auth profiles. Instead, a basic SAML authentication profile is created.

 

Thanks

 

error_capture.JPG

Link to comment
Share on other sites

You might want to play with the encryption settings (assertion/signing/digest). Sometimes we face this error when the encryption settings in the request from the service provider (Azure) don't match on the identity provider (Netscaler).

 

It would also be helpful if you could post the raw metadata XML file from Azure.

Link to comment
Share on other sites

Can you also share your NS config for the SAML profile?

 

We had a scenario like this and the attribute names we configured in the SAML profile (the ones sent as part of response from NS) had to have the attribute names like "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress". Example:

add authentication samlIdPProfile TestSsoProfile -samlIdPCertName star.myorg.org-prod-2017-12 -assertionConsumerServiceURL "https://vendorurl.com/Saml2/Acs" -samlIssuerName "https://auth.myorg.org" -rejectUnsignedRequests OFF -signatureAlg RSA-SHA256 -digestMethod SHA256 -audience "https://vendorurl.com" -NameIDFormat emailAddress -NameIDExpr "AAA.USER.ATTRIBUTE(1).TO_LOWER" -Attribute1 "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -Attribute1Expr "AAA.USER.ATTRIBUTE(1).TO_LOWER" -serviceProviderID "https://vendorurl.com"

 

Link to comment
Share on other sites

Hi,

how you describe it we get a SAML AuthnResponse from AzureIDP to netscaler and netscaler is not accepting the AuthnResponse.

 

Basically there can be two reasons for that:

1) The Status in the AuthnResponse is not success. 

In this case the IDP does not allow the user to login to the application. 

 

2) the netscaler is not able to validate the SAML AuthnResponse and does not trust it and therefore it is not granting access. 

 

In your ns.conf file there is this policy currently bound to a vserver.

add authentication samlAction vpn-saml-server -samlIdPCertName ns-server-certificate -samlRedirectUrl "https://login.microsoftonline.com/ddd1a34f-2ab0-4139-9ac9-5f5e0e5377a2/saml2" -logoutURL "https://login.microsoftonline.com/ddd1a34f-2ab0-4139-9ac9-5f5e0e5377a2/saml2" -logoutBinding REDIRECT

 

First thing that cannot be correct is the ns-server-certificate for the IDP Certificate. This must be the certificate from the metadata url. No problem you can extract it from there and upload it to the netscaler.

 

So my suggestion would be the following:

Install some kind of SAML Tracer to you browser, do a login. What is the SAML AuthnResponse? Status Success?

 

Try to extract the certificate from the metadata url you got and import it into netscaler. I prefer - just to be sure - to use some kind of converter to get the header correct. (eg https://developers.onelogin.com/saml/online-tools/x509-certs/format-x509-certificate). 

And try again. 

 

Best Regards,

Mary

 

 

 

 

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...