Jump to content
Welcome to our new Citrix community!

problem with Authorization

Or Shellyy

Recommended Posts

greeting all,

I need a help I configure SAML to my Organization with Azure and is work.

but after I login and get the token of the SAML I get error : "Error: Not a privileged User", i use the Authorization Policies with classic policy something like this : "REQ.HTTP.HEADER Host == xxx.xxx.com" and is not working.

someone know how do I fix it, because I  cant find how to fix it and noting work .

i have version 12.1 53 

Link to comment
Share on other sites

Is this a gateway vpn server config or AAA for load balancing.  If gateway, full vpn or ica proxy.


After authentication you need either authorization policies assigned to groups/users or session policies setting default authorization action applied to vserver or group.

If there is a deafult deny, then your authorization may need to affect the things the user is trying to reach, such as in vpn mode all applicable destination networks/ports. VIPs for load balancing, etc.  


So, first identify what type of vserver/connection the authentication is being used for?

Then determine which authorization rules may be required to reach destinations.

The authorization might not be in the authentication phase, but the post authentication destination...but you may have to look at syslog to confirm what destinations are being blocked.



Link to comment
Share on other sites


i use AAA for load balancing , I use a classic policy and I try : ns_true , REQ.HTTP.HEADER Host CONTAINS , REQ.HTTP.HEADER Host == xxx. i try to us it to user and a group

and noting happens I get the "Error: Not a privileged User" 

when I use the aaad.debug i see the SAML work successfully but i didn't see after the SAML why i don't get the  Authorization.

Link to comment
Share on other sites

AAAD.debug only shows authentication events; authorization errors are in syslog.


You need to think about both client to vserver communication and ADC to service destination.

You could try a session:allow on the vserver once authenticated (if not public) and then work on tightening allows until narrowly defined.

Start with an allow best on  VIP and backend server destinations (by ips and ports).

Then if that works, you can do it my headers, but the allow is about the resource your trying to access and not the authentication being performed.


Also, classic engine is problematic; but CONTAINS is case-insensitive and a partial match on host header.  Equals is both case-sensitive and requires a full, exact header match.

The trick is if not all of your requests connect the header that you are using.

This is why I said, start with an allow based on destination IP to the VIP and the destionation IP of the services required. (Limit to HTTP or HTTPS if you can), then if that works, you can see what you can and can't adjust or run a trace to see what is happening in the requests.



The authorization policies must be bound to AAA user or AAA Group; but saml group extraction may require special config.

Session policies can be bound to the AAA vserver or the AAA Group.



Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...