Jump to content

Recommended Posts

Posted

A customer is trying to onboard macOS users to their Citrix Gateway VPN which is working perfectly on Windows endpoints.

The macOS version is the latest available (Sequoia, 15.1) and the SAC is on version 24.10.1. The authentication is configured to use SAML and the IdP is Microsoft Entra ID.

I'm observing the following in the ns.log when the user session gets back from the Entra:

Oct 25 08:11:35 <local0.info> XXX  10/25/2024:08:11:35 GMT XXX 0-PPE-0 : default SSLVPN Message 944394 0 :  "SAMLSP: LOGIN SUCCESS; Core <0>, Copying logout url <https://login.microsoftonline.com/{tenant}/saml2> to session for saml logout, user <first.last@company.com>"
Oct 25 08:11:35 <local0.info> XXX  10/25/2024:08:11:35 GMT XXX 0-PPE-0 : default SSLVPN Message 944395 0 :  "WebView is complete; sending completion response; suspending session policy eval for user <first.last@company.com>, aaa flags 20, flags2 41101"
Oct 25 08:11:35 <local0.info> XXX  10/25/2024:08:11:35 GMT XXX 0-PPE-0 : default AAATM Message 944396 0 :  "authv3_webview relaystate url FAILED the whitelist check, will abort this login attempt"

In the network trace I can see a HTTP POST request to /cgi/samlauth to which the NetScaler responds with "500 Internal Server Error".

I believe I have already ruled out:

Any ideas?

Posted

The Patternset "ns_aaa_relaystate_param_whitelist" was empty in the customer. Got the problem sorted out with supports assistance.

The fix is to add the following:

bind policy patset ns_aaa_relaystate_param_whitelist "citrixauthwebviewdone://" -index 1 -charset ASCII
bind policy patset ns_aaa_relaystate_param_whitelist "citrixsso://" -index 2 -charset ASCII
bind policy patset ns_aaa_relaystate_param_whitelist "citrixng://" -index 3 -charset ASCII

 

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...