Posted October 25, 2024Oct 25 A customer is trying to onboard macOS users to their Citrix Gateway VPN which is working perfectly on Windows endpoints. The macOS version is the latest available (Sequoia, 15.1) and the SAC is on version 24.10.1. The authentication is configured to use SAML and the IdP is Microsoft Entra ID. I'm observing the following in the ns.log when the user session gets back from the Entra: Oct 25 08:11:35 <local0.info> XXX 10/25/2024:08:11:35 GMT XXX 0-PPE-0 : default SSLVPN Message 944394 0 : "SAMLSP: LOGIN SUCCESS; Core <0>, Copying logout url <https://login.microsoftonline.com/{tenant}/saml2> to session for saml logout, user <first.last@company.com>" Oct 25 08:11:35 <local0.info> XXX 10/25/2024:08:11:35 GMT XXX 0-PPE-0 : default SSLVPN Message 944395 0 : "WebView is complete; sending completion response; suspending session policy eval for user <first.last@company.com>, aaa flags 20, flags2 41101" Oct 25 08:11:35 <local0.info> XXX 10/25/2024:08:11:35 GMT XXX 0-PPE-0 : default AAATM Message 944396 0 : "authv3_webview relaystate url FAILED the whitelist check, will abort this login attempt" In the network trace I can see a HTTP POST request to /cgi/samlauth to which the NetScaler responds with "500 Internal Server Error". I believe I have already ruled out: Session policy expression (ref https://support.citrix.com/s/article/CTX291268-http11-internal-server-error-43531-when-accessing-citrix-gateway-after-upgrading-to-version-130?language=en_US) SAML Relay State rule, configured according to the docs (ref https://docs.netscaler.com/en-us/citrix-adc/current-release/aaa-tm/authentication-methods/saml-authentication/citrix-adc-saml-sp.html) I have also tried to add the StoreFront Store name here as well changing the rule to "true" and creating a parallel rule which doesn't have the rule defined NetScaler clock synchronization Any ideas?
October 25, 2024Oct 25 Author The Patternset "ns_aaa_relaystate_param_whitelist" was empty in the customer. Got the problem sorted out with supports assistance. The fix is to add the following: bind policy patset ns_aaa_relaystate_param_whitelist "citrixauthwebviewdone://" -index 1 -charset ASCII bind policy patset ns_aaa_relaystate_param_whitelist "citrixsso://" -index 2 -charset ASCII bind policy patset ns_aaa_relaystate_param_whitelist "citrixng://" -index 3 -charset ASCII
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.