Jump to content
Welcome to our new Citrix community!

SAML Configuration for CVE mitigation


Jens Ostkamp

Recommended Posts

Hey everyone,

 

i have a question regarding SAML configuration when Citrix ADC is configured as SP (for example, doing SAML Redirect for Citrix CVAD authentication towards some SAML IdP) - as mentioned in official support article (https://support.citrix.com/article/CTX316577) I have configured the appropriate RelayStateRule (since we come from a Gateway I used following expression: "AAA.LOGIN.RELAYSTATE.EQ("https://vpngateway.domain.com/")" where "vpngateway.domain.com" is the external DNS a user will connect to via Browser before getting a redirect to the SAML IdP. The configuration just works fine, but when I am testing it and for example enter "https://thiswontwork.com/" in the Expression, everything still works just as before. So I am curious if this is expected or if I am missing something here.

 

The configuration when Citrix ADC is IdP (ShareFile for example) everything is fine, when I configure the ACS Rule with some gibberish I get an error when trying to authenticate which is obviously just fine.

 

thanks a lot!

 

best regards

Link to comment
Share on other sites

Well it was mostly about the RelayState Rule. Before Upgrade there wasnt a RelayState RUle (as the option didnt exist) and after upgrade i followed the Citrix Support article on how to configure that rule. after doing so i could put in any expression within the rule, where the relay state should come from and it worked everytime. now funny enough i am having the problem that some clients are working and some not. some seems to be browser chace related, but its all very unclear. still investigating. 

for example, one single application which is reachable through SSL VPN is not reachable anymore, without any configuration changes on any side. only after upgrading Citrix ADC to newest version the connection to this one specific application doesnt work anymore. to other applications in the same subnet it works. so yeah, i dont really know whats causing it, but everyting seems update-related issue

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...