Jump to content
Welcome to our new Citrix community!

SAML Logout Error with SAP FIORI and Citrix ADC as IdP


Andre Schreiber

Recommended Posts

Hi,

we have successfully published our SAP Fiori Launchpad with Citrix ADC as SAML IdP. Authentication works with a AAA vServer (nFactor with CitrixSSO App).

Using the "Logout" Button in the SAP Interface gives us an error ("Matching policy not found while trying to process Assertion; ..")

The logout URL is correct (/cgi/logout), hitting "Enter" on the adress bar in the browser even gets us the expected Logout Screen (vpn/tmlogout.html) and the saml Session gets cleared. 

 

Where does this saml assertion error comes from?

 

(ADC 13.0 83.27)

 

Link to comment
Share on other sites

Hello,

 

clicking on a Logout-Button from an Application, like SAP Fiori in your example, ADC isn't able to initiate the AAA session logout. You have to configure the SAP Fiori Logout URL (like /logout or sth else) to tell ADC to do a clear logout of the session.

 

Create an AAA traffic profile only with the option "Initiate Logout" enabled.

Create an AAA traffic policy, linked to the profile with an expression like HTTP.REQ.URL.CONTAINS("/logout") 

-> This is only an example, you have to identify, whats the correct logout URL SAP is accessing when clicking on "Logout" Button in SAP Interface.

 

Link the AAA traffic policy to your SAP Fiori LB vServer. Try it again and verify the hits on the AAA traffic policy.

 

Best Regards

Julian

Link to comment
Share on other sites

thanks for your answer. 

 

I identified the internal logout URL (sap/public/bc/icf/logoff?sap-client=010). i created an AAA traffic policy with the  expresion HTTP.REQ.URL.CONTAINS("/logoff") and linked a traffic profile with "initiate logout".

I bound the policy to the correct LB vServer, but I don't get any hits on the traffic policy - even if i set the expression to "true". Any hints on that?

 

And i still don't understand why the redirect to /cgi/logout works but produces the saml assertion error. 

Edited by Andre Schreiber
still don't understand
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...