Jump to content
Welcome to our new Citrix community!

Netscaler as IDP with SAML Logout


David Hood

Recommended Posts

Hi

 

I've have setup google/gsuite as a SAML idp within my netscaler gateway, and that seems to pretty much work. When i goto the gateway URL i need to sign in with my gsuite account and I can see and launch desktops. 

 

On the gateway I have configured 1 basic SAML authentication policy, with no Advanced Authentication, its as simple as I can get it to be honest.

 

However when I click logoff it appears to sign out correctly, however if you return to the gateway URL I am automatically logged back in without a prompt to re-login. Same even if I close the browser. I think there is some cookie or something being left behind....

 

In my SAML policy I have the single logout URL set as https://gatewayfqdn/cgi/logout. I have also tried /vpn/logout.html but get the same issue.

 

and I don't see any errors in the browser during the logoff in the browser. I have read a similar thread that relates to OKTA and the signoff URL being something.okta.com but I cannot see any mention of similar for google/gsuite.

 

NS is 12.1 

 

Any assistance is much appreciated.... I was expecting issues during login, not during logout. :-) 

 

Dave

Link to comment
Share on other sites

6 hours ago, Dennis Parker said:

Your Single Logout (SLO) URL should be something from GSuite, not your ADC FQDN. 

No personal experience with GSuite, so I don't know if GSuite supports SLO or not, but a quick Search found issues from a couple years ago where they don't support SLO.
https://github.com/onelogin/php-saml/issues/299

 

 

Hi Denis,

 

thanks for taking the time to reply. I am into the dark arts of netscaler that I don't fully understand to be honest!  :-)

 

I did try and find the logout url but gsuite doesn't seem to provide that information - perhaps as you suggested because it doesn't support it. I don't honestly know what to put into that field then.

 

 However surely there is some workaround to this? Seems odd that MS in Azure AD support that method but gsuite doesn't. To my simple brain that seems like quite the security hole?

 

What I can say is that if i clear my cookies in the browser it works correctly, so it is as though the logoff button in the netscaler  isn't clearing the google authenication cookie (or something like that perhaps)? I am wondering if there is a method to clear that by some other policy or similar workaround.

 

I was feeling quite chuffed I got it all to work with FAS etc only to be stopped in my tracks by this!

 

From google FAQ it says:

 

How can the non-persistent session cookie that identifies a user during a browser session be deleted (e.g. upon logout)?

After successful authentication via SAML, Google sets a session cookie to identify an user's session. When the user explicitly logs out (e.g. by clicking the logout button), this cookie needs to be destroyed. If your implementation involves persistent session management ("remember me on this computer" functionality), you may need to control how and when this cookie is destroyed. Upon logout, Google redirects to your logout servlet. In your logout servlet, you may present the user with some options that could determine whether the session cookie should be deleted or not.

 

I assume the logout servlet is perhaps that /cgi/logout page that appears, but how the hell do you delete that cookie? :-) 

 

Cheers

 

Dave

Link to comment
Share on other sites

The main problem as I see it is that the cookie survives browser closing and re-opening. That's a pretty big deal to me. 

 

As for how to remove the cookie, you could maybe use a Rewrite policy to Set-Cookie to an expiration date in the past, with a policy that applies to the /cgi/logout page? Not sure if this would work though since it would be cross-domain. 

 

https://stackoverflow.com/questions/20320549/how-can-you-delete-a-cookie-in-an-http-response

Link to comment
Share on other sites

54 minutes ago, Dennis Parker said:

The main problem as I see it is that the cookie survives browser closing and re-opening. That's a pretty big deal to me. 

 

As for how to remove the cookie, you could maybe use a Rewrite policy to Set-Cookie to an expiration date in the past, with a policy that applies to the /cgi/logout page? Not sure if this would work though since it would be cross-domain. 

 

https://stackoverflow.com/questions/20320549/how-can-you-delete-a-cookie-in-an-http-response

 

Thanks Dennis. I'm a bit new to these policies - how do I bind a policy to that particular page?

Link to comment
Share on other sites

  • 2 weeks later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...