Jump to content
Welcome to our new Citrix community!

OneLogin.com - SAML: Cannot complete your request Storefront error

Tom Swift

Recommended Posts

Spoke with both OneLogin.com support and Citrix.com support and still can't get this to work.  Here's the workflow:


1.  https://mycorp.onelogin.com

2.  Authenticate

3.  Select Citrix Netscaler 10.5 application

4.  Routes back to auth.mycorp.com

5.  Passes connection to Storefront

6.  Error message - Cannot complete your request

     Event Log:

    Error 7:

    CitrixAGBasic single sign-on failed because the credentials failed verification with reason: FailedPasswordComplexity. The credentials supplied were; user: testuser domain: mycorp

    Error 10: 

    A CitrixAGBasic Login request has failed.


Storefront is configured with an additional gateway pointing back to https://auth.mycorp.com.

Storefront under Manage Authentication Methods, Domain-passthrough from Netscaler Gateway, Configure Delegated Authentication, Check - Fully delegate credential validation to Netscaler Gateway

Storefront Authentication Domains:  Either left empty or with MYCORP

Netscaler Session Profile is configured with MYCORP for Domain (not mycorp.com)


We followed the Citrix & OneLogon documentation and they say they have lots of customers using this. 


In Chrome we did a SAML Trace and it appears to be successful at least up to the Netscaler side of things.


For every failed attempt where we get the Cannot Complete your request error we get and Error 7 & Error 10 in the Storefront (Citrix Delivery Services) event log.


User is able to logon locally directly on the Storefront server using a browser:  http://localhost/Citrix/Storeweb and applications enumerate.


We had some issues two years ago with OKTA and got them all worked out, but OneLogin seems to be a challenge.  Their tech support says it's a Citrix issue and they don't have documentation for this error on Storefront.


Link to comment
Share on other sites

Check your Gateway Session Policies and remove any SSON Domains configured. The SAML Assertion should include the UPN. The UPN is then forwarded to StoreFront. There's no need to also send a domain name.


Check StoreFront > Configure Trusted Domains and set it to All Domains, or add the UPN suffix.

Link to comment
Share on other sites

Correct.  Looks like OneLogin doesn't send the password.  We actually did some testing where we had user joe@mycorp.com have his username be jsmith@mycorp and that successfully enumerated applications.  Then for joe@mycorp.com we used an Active Directory account which didn't exist like xjones@mycorp and it gets past the Netsclaler and then on Storefront it errors out with Cannot Complete your request.


So we build a FAS server, do all the things in the GPO as are required then it's work?


We are currently work on this for one division in the organization, but later on there may be other Domains.  For example, we are in mycorp.com and one of the other domains is domain.local.  Can FAS support this or do we need multiple FAS servers? 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...