Jump to content
Welcome to our new Citrix community!

Netscaler as IDP with SAML Logout issue


David Hood

Recommended Posts

Hi

 

I've have setup google/gsuite as a SAML idp within my netscaler gateway, and that seems to pretty much work. When i goto the gateway URL i need to sign in with my gsuite account and I can see and launch desktops.

 

However when I click logoff it appears to sign out correctly, however if you return to the gateway URL I am automatically logged back in without a prompt to re-login. Same even if I close the browser. I think there is some cookie or something being left behind....

 

In my SAML policy I have the single logout URL set as 

 

https://gatewayfqdn/cgi/logout

 

and I don't see any errors in the browser during the logoff in the browser. I have read a similar thread that relates to OKTA and the signoff URL being something.okta.com but I cannot see any mention of similar for google/gsuite.

 

NS is 12.1 

 

Any assistance is much appreciated.... I was expecting issues during login, not during logout. :-) 

 

Dave

saml logoff.png

Link to comment
Share on other sites

On 10/2/2020 at 4:24 AM, David Hood said:

Hi

 

I've have setup google/gsuite as a SAML idp within my netscaler gateway, and that seems to pretty much work. When i goto the gateway URL i need to sign in with my gsuite account and I can see and launch desktops.

 

However when I click logoff it appears to sign out correctly, however if you return to the gateway URL I am automatically logged back in without a prompt to re-login. Same even if I close the browser. I think there is some cookie or something being left behind....

 

In my SAML policy I have the single logout URL set as 

 

https://gatewayfqdn/cgi/logout

 

and I don't see any errors in the browser during the logoff in the browser. I have read a similar thread that relates to OKTA and the signoff URL being something.okta.com but I cannot see any mention of similar for google/gsuite.

 

NS is 12.1 

 

Any assistance is much appreciated.... I was expecting issues during login, not during logout. :-) 

 

Dave

saml logoff.png

 

Hello,

 

Could you please try to logon, logout and then check on ADC using Putty the following command

show aaa session

Please confirm if user's session is still present.

 

Also what is the exact Firmware of your ADC.

 

Thanks

Arnaud

Link to comment
Share on other sites

Hi Arnaud

 

Thanks for taking the time to reply.

 

When I logout and run that command I don't see any sessions.

 

When I open the URL it immediately signs me back in and I see 3 sessions for my user account via the CLI.

 

If I clear my cookies in my browser I am prompted to log back into google etc.

 

So it is as though some cookie isn't being deleted when I logout, but I am now into areas of netscaler that I don't really have any experience in tbh.

 

the firmware is NS12.1 59.16.nc.

 

ns1.thumb.png.5a9e8e9f97bf146a3ce86f6f03575eaf.png

Link to comment
Share on other sites

5 hours ago, Arnaud Pain said:

 

Hello,

 

Could you please try to logon, logout and then check on ADC using Putty the following command

show aaa session

Please confirm if user's session is still present.

 

Also what is the exact Firmware of your ADC.

 

Thanks

Arnaud

Found this in the Google FAQ:

 

How can the non-persistent session cookie that identifies a user during a browser session be deleted (e.g. upon logout)?

 

After successful authentication via SAML, Google sets a session cookie to identify an user's session. When the user explicitly logs out (e.g. by clicking the logout button), this cookie needs to be destroyed. If your implementation involves persistent session management ("remember me on this computer" functionality), you may need to control how and when this cookie is destroyed. Upon logout, Google redirects to your logout servlet. In your logout servlet, you may present the user with some options that could determine whether the session cookie should be deleted or not.

 

I assume the logout servlet is perhaps that /cgi/logout page that appears, but how the hell do you delete that cookie? :-) 

Link to comment
Share on other sites

10 hours ago, David Hood said:

Found this in the Google FAQ:

 

How can the non-persistent session cookie that identifies a user during a browser session be deleted (e.g. upon logout)?

 

After successful authentication via SAML, Google sets a session cookie to identify an user's session. When the user explicitly logs out (e.g. by clicking the logout button), this cookie needs to be destroyed. If your implementation involves persistent session management ("remember me on this computer" functionality), you may need to control how and when this cookie is destroyed. Upon logout, Google redirects to your logout servlet. In your logout servlet, you may present the user with some options that could determine whether the session cookie should be deleted or not.

 

I assume the logout servlet is perhaps that /cgi/logout page that appears, but how the hell do you delete that cookie? :-) 

 

Hello,

 

did you look here: https://discussions.citrix.com/topic/398513-saml-logout-issue-with-netscaler-gateway-and-azure/

 

It's explained for Azure, but I think it should work with Google.

Unfortunately I do not have a Gsuite account to test with.

 

Thanks

Arnaud

Link to comment
Share on other sites

8 minutes ago, Arnaud Pain said:

 

Hello,

 

did you look here: https://discussions.citrix.com/topic/398513-saml-logout-issue-with-netscaler-gateway-and-azure/

 

It's explained for Azure, but I think it should work with Google.

Unfortunately I do not have a Gsuite account to test with.

 

Thanks

Arnaud

 

Hi

 

yeah I've seen that but the thing seems to be that gsuite doesn't provide an SLO URL so i'm not sure what to do.....

Link to comment
Share on other sites

13 minutes ago, Arnaud Pain said:

 

Thanks again, however the article is for people wanting to use the Netscaler as the IDP for gsuite logins, whereas I am looking for the reverse (so folk log into netscaler using their gsuite creds).

 

Thanks for the KB article - but I'm not sure where/how I would apply that.  If I look in the gateway traffic policies I don't see an option for logout? I assume it would need to be a gateway traffic policy?

Link to comment
Share on other sites

  • 1 year later...
  • 7 months later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...