Jump to content
Welcome to our new Citrix community!

Citrix ADC 12.1: Azure IDP: Reply URL for each LB server needed?


Recommended Posts

Hi,

if using Azure as IDP for the reverse proxy instances exposed through Citrix ADC 12.1, I noticed that it requires to add the FQDN of the service as Reply URL in Azure.

Is this a normal behavior?

 

I was expecting, that it only want to have the FQDN / URL of the AAA VServer.

 

Example:

 

user tries to access application1.company.com,

the authentication profile loads  aaa1.company.com, which acts as SP for saml2. 

User performs his login at microsoft

If only https://aaa1.company.com/<something>/... is added: Error: Reply URL missing

If Reply URL for https://application1.company.com is added: works fine.

 

Now I am questioning whether I have really to add all services as Reply URL in the azure app for aaa1.company.com ....

 

 

I am basically running the following saml2 profile:

 

add authentication samlAction SAMLSRV_aaa1 -metadataUrl <METADATAURL>" -samlSigningCertName CRT_aaa1 -samlUserField NameID -samlIssuerName "https://aaa1.company.com" -signatureAlg RSA-SHA256 -digestMethod SHA256 -logoutBinding REDIRECT -metadataRefreshInterval 3600

Link to comment
Share on other sites

  • 2 weeks later...

We've seen the same behavior where ADC is generating the Reply URL based on the incoming request only.

We tried to use AAA vServer with Forms Based Authentication and nFactor to "trick" Netscaler in using the AAA FQDN for the SAML reply url but it seems they are 'being smart' and detecting that SAML policy is bound to AAA and skipping the redirect to the AAA vServer. 

I agree it would be nice if Citrix could support this scenario ( First redirect to AAA vServer, then AAA redirect to SAML IDP using the AAA FQDN as the reply url).

We 'solved' it by using OpenID Connect / OAUTH between ADC and Azure AD, and on Azure AD we then used a Reply URL containing a wildcard character for the subdomain. (Can be done by editing the metadata on AzureAD) 

Link to comment
Share on other sites

  • 1 year later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...