Jump to content
Welcome to our new Citrix community!

Problem with using HTTPS prefix for GSLB public FQDN with SAML/MFA authentication

Recommended Posts

We are working on a project for a customer using ADC 13 (on-prem appliances in HA pairs in each location and an on-prem CVAD farm with zones in each region) and GSLB with static proximity (two locations initially but then expanding to five). Authentication is provided with SAML between the ADCs (SP) and Microsoft ADFS 4.0 (IdP) and an Azure MFA enterprise app in each Azure region local to each on-prem location.


When trying to connect using no prefix for the public FQDN  or just HTTP, redirection to the static proximity calculated Citrix Gateway works correctly (we can see the url redirection in the browser as it happens), and users can authenticate to login.microsoftonline.com and the MFA app and all the way through to their apps/desktops in Storefront. However, when using HTTPS, no redirection is observed in the browser bar and when the user follows the same logon process, it appears to work with MFA and the user prompted to use Microsoft Authenticator. After this we get a URL mismatch error AADSTS50011 (https://docs.microsoft.com/en-us/troubleshoot/azure/active-directory/error-code-aadsts50011-reply-url-mismatch). It looks like this is a redirection issue rather than a SAML auth one. We are experiencing the same issue in both locations. Anybody experienced this? Thanks


Edited by Alan Bayliss
Typo corrections
Link to comment
Share on other sites

  • 3 weeks later...

Try using HTTTPWatch or Fiddler to see hat is happening:















Read this as it could be the GSLB  cookie persistance that is causig issues if you are using the redirect method.








You may also see:



Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...