Jump to content
Welcome to our new Citrix community!

Microsoft Azure MFA Citrix Netscaler MFA - SAML Assertion Verification Failed


Tom Swift

Recommended Posts

Trying to follow this document:

https://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/integrating-netscaler-with-microsoft-azure-active-directory.pdf

**Note this follows Azure classic interface but this was correctly set up in Azure

 

Page 9 is where we started the Netscaler configuration:

1.  Trying to import metadata if we use this when we hit the Citrix logon page (ie. https://citrix.mycorp.com) all we get is a white page

2.  Manually we configured everything and even added NameID for User Field

3.  Downloaded and imported Azure SSL cert in to Netscaler for IDP Certificate Name

 

ERROR:

SAML Assertion Verification Failed; Please contact your administrator

 

FireFox - Added SAML Trace extension and captured data.  Everything looks good there.

Assuming SAML Assertion error is on the Netscaler side and we aren't actually attempting to handshake with Storefront as common errors there would be unable to complete request.

 

Link to comment
Share on other sites

The SSL cert is not the signing certificate. It's an SSL certificate used for SSL-traffic, not for signing the assertions. You have top download the signing certificate. Maybe my blog might bring some light into the issue?

 

Greetings from sunny Austria

Johannes Norz

CTA, CCI, CCE-N

 

visit my blog

use my Citrix ADC test environment

Edited by Johannes Norz
added refference
Link to comment
Share on other sites

We're facing a similar problem. What we found is, that when having a look at the Meta-Data-Document provided by Microsoft there is more than one signing key listed. It seems like they are using any of them and change it from time to time.

I used the SAML-tracer and found that the second out of four certificates listed in the Meta-Data-File was used. When manually configuring that certificate it started to work immediatly. The problem with that is, that Microsoft already changed the used certificate in December and again today.

I would like to avoid updating the certificate manually every month. So I would highly appreciate to specify the Meta-Data-Document provided by Microsoft. The certificate is inside it, but it seems like the ADC is only taking either the first or the last out of the list.

relevant section from metadata.png

 

670529943_2021-01-1308_20_19-SAML-tracer.thumb.png.b923f6f7430acec7d372c4cdd816a57c.png

 

federationmetadata.xml

Edited by Walter Werther
added SAML-Trace
Link to comment
Share on other sites

So, yo run a service provider on premise, Azure is the identity provider. SSL_Azure_MFA is the certificate, Azure uses for assertion signing. SSL_VDI is the certificate, you use for assertion signing. Is this correct? Doublke-check if the certificate, Azure is using, is the one you imported (see the post above).

Link to comment
Share on other sites

In parallel to asking in this discussions forum we also raised a ticket with Citrix. 

It's not 100% confirmed yet, but it seems like it's a known problem (at least to Citrix support) that Citrix ADC is not able to handle more than one certificate provided by the IDP. 

Cite from support-ticket:

 

I have checked with internal team for the query. Currently there is no workaround for the issue. 
We have to bind the certificate manually to ADC once MS team changes certificate on IDP.

 

So I'm really surprised about that and I'm wondering that the internet is not full of reports (and workarounds) for that topic. Are we the only one using Microsoft as IDP?

Link to comment
Share on other sites

Hello,

 

so now we got an update from Citrix-Support Team. 

 

They claim that this seems to "Work as currently designed":

 

---

Regarding your query, I do see that this feature is not supported as of now and see similar feature request raised in the past. I have reached out to our product management team, to get to know the exact detail on this and to understand if the old feature request is similar or do we need new feature request for your requirement. I will keep you updated with their reply.

---

 

Is that really true? How are others dealing with such topics? This does not seem to be a missing feature. Not providing proper support for certificate roll-over on IDP should be classified as a BUG. 

I'm really surprised that no one else is having such a problem?

Link to comment
Share on other sites

  • 3 years later...

Three years later the certificate expired again. And guess what: Citrix Netscaler still is not able to have automatic certificate rollover working properly. From that point of view it does not even make sense to have refresh-metadata option at all set to a high value.

Come on Citrix: Is that really the way you would like to provide services? You should really feel ashamed.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...