Jump to content
Welcome to our new Citrix community!

ADC Gateway Form-Based Single Sign On to Web Applications issue

Joseph Tuttle

Recommended Posts

Good afternoon folks,


Many thanks in advance. I am currently working on SSO for a couple of Gateway bookmarks that are proving to be quite a challenge. I currently have our Intranet and Sharepoint (Windows Auth) and OWA (forms SSO) working. The 2 apps that are being a challenge..one is a commercial application and the other is in-house. With both, am attempting to do forms based. There does not seem to be a ton of information about the logging process as well. Can anyone shed any light on that? Much appreciated!


Stating with the commercial application:


 - Using Advanced CVPN

 - Bookmark URL is: https://FQDN.FQDN.org/APP/

 - Login screen loads and functions as a bookmark with manual login to the app

 - Examined HTML file for login form information (method POST: action /APP/Account/Login/Default.aspx: Username form object UserName: Password object Password. 

 - Traffic policy: HTTP.REQ.HOSTNAME.EQ("fqdn.fqdn.org")

 - Traffic profile: SSO - ON:

 - Traffic profile: SSO User Expression - AAA.USER.ATTRIBUTE(1) - The LDAP object has mail configured for Attribute 1 - email is required for Username

 - Traffic profile: SSP Password Expression - AAA.LOGIN.PASSWORD

 - Form SSO Profile Action URL: /APP/Account/Login/Default.aspx

 - Form SSO Profile Username Field Value: UserName

 - Form SSO Profile Username Field Value: Password

 - Form SSO Success Criteria: HTTP.RES.SET_COOKIE.EXISTS("SID") - This cookie is placed on successful login and removed on logout or session expiry

 - Form SSO Name Value Pair: Tenant=support.sccourts.org&IsUrlSharedByTenants=False&ClientTimeOffset=0&ClientTimezoneName=&ReturnUrl=&PrefferedRole=&IsForgotPasswordAllowed=True&

        (cont) IsFrame=False&OpenIDSignIn=&SsoReturnUrlvalue=

 - There is another name value pair item that I am not sure about - it's a random string that I would have to get into the form profile on page load - Shown in the HTML below as "__RequestVerificationToken".

 - Form SSO Response Size: 24000 - I made this large for testing

 - Form SSO Extraction: Static - Although I have tried both

 - Form SSO Submit Method: POST

 - There is auth logging in the application itself. There appears to never even be an attempt to auth. This is confirmed with PCAPS..I see no POST.


Output of SSO Logging (nsconmsg -g sso_ -d current -s disptime=1) - Is there a document as to the meaning of the logging items below? Some more details would be great.


On click, the new tab launches and the following is logged:


reltime:mili second between two records Sun Sep  6 19:16:23 2020
  Index   rtime totalcount-val      delta rate/sec symbol-name&device-no&time
      0    7000        1683524          1        0 svpn_tot_sso_cache_miss  Sun Sep  6 19:16:23 2020


Then the login page will display after about 10 seconds of spinning and the following is added to the log:



   1   28000        1683536         12        1 svpn_tot_sso_cache_miss  Sun Sep  6 19:16:51 2020
      2       0            151         13        1 svpn_tot_sso_failures  Sun Sep  6 19:16:51 2020
      3       0            462         13        1 svpn_tot_sso_post_reqs_gen  Sun Sep  6 19:16:51 2020
      4       0            343          1        0 svpn_tot_sso_ck_hdr_inserted  Sun Sep  6 19:16:51 2020

So I get 1 cache miss on click, another after the failure and then the 3 other items. These values do increment during testing, so I am sure they related, but no idea what they mean or really point to. I have tried different iterations/values to try to determine the failure, but without understanding the logging, that is a challenge. 


Any help is MUCH appreciated







<form action="/APP/Account/Login/Default.aspx" class="form-horizontal" method="post" role="form"><input name="__RequestVerificationToken" type="hidden" value="dfQgFclHjKzhdpKXyZC4jeUt4LVvVvGxGCNcGb-aMtEvltyHuSoz28gPEzisfQihZuay0ypf4-cwr2liiEX1hkKoj2Y1" /> <div class="form-group">

<label class="hidden-xs col-sm-3 col-md-3 control-label" for="UserName">User name</label>

<div class="col-xs-12 col-sm-8">

<input autocomplete="off" class="form-control has-success has-feedback" id="UserName" name="UserName" placeholder="User Name" type="text" value="" />



<div class="form-group">

<label class="hidden-xs col-sm-3 col-md-3 control-label" for="Password">Password</label>

<div class="col-xs-12 col-sm-8">

<input autocomplete="off" class="form-control" id="Password" name="Password" placeholder="Password" type="password" />



<input id="Tenant" name="Tenant" type="hidden" value="FQDN.FQDN.org" /><input id="IsUrlSharedByTenants" name="IsUrlSharedByTenants" type="hidden" value="False" /><input id="ClientTimeOffset" name="ClientTimeOffset" type="hidden" value="0" /><input id="ClientTimezoneName" name="ClientTimezoneName" type="hidden" value="" /><input id="ReturnUrl" name="ReturnUrl" type="hidden" value="" /><input id="PrefferedRole" name="PrefferedRole" type="hidden" value="" /><input id="IsForgotPasswordAllowed" name="IsForgotPasswordAllowed" type="hidden" value="True" /><input id="IsFrame" name="IsFrame" type="hidden" value="False" /><input id="OpenIDSignIn" name="OpenIDSignIn" type="hidden" value="" /><input id="SsoReturnUrl" name="SsoReturnUrl" type="hidden" value="" /> <div class="form-actions">

<button type="submit" class="btn btn-primary">Login</button>


<a class="x-login-external-provider-link" href="/APP/Account/SsoLogin?provider=Automated%20Login">Sign in with Automated Login</a>


<a href="/APP/Account/ForgotPassword">Forgot Password?</a>








Link to comment
Share on other sites

  • 4 months later...
  • 4 months later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...