Kari Ruissalo Posted October 25 Posted October 25 A customer is trying to onboard macOS users to their Citrix Gateway VPN which is working perfectly on Windows endpoints. The macOS version is the latest available (Sequoia, 15.1) and the SAC is on version 24.10.1. The authentication is configured to use SAML and the IdP is Microsoft Entra ID. I'm observing the following in the ns.log when the user session gets back from the Entra: Oct 25 08:11:35 <local0.info> XXX 10/25/2024:08:11:35 GMT XXX 0-PPE-0 : default SSLVPN Message 944394 0 : "SAMLSP: LOGIN SUCCESS; Core <0>, Copying logout url <https://login.microsoftonline.com/{tenant}/saml2> to session for saml logout, user <first.last@company.com>" Oct 25 08:11:35 <local0.info> XXX 10/25/2024:08:11:35 GMT XXX 0-PPE-0 : default SSLVPN Message 944395 0 : "WebView is complete; sending completion response; suspending session policy eval for user <first.last@company.com>, aaa flags 20, flags2 41101" Oct 25 08:11:35 <local0.info> XXX 10/25/2024:08:11:35 GMT XXX 0-PPE-0 : default AAATM Message 944396 0 : "authv3_webview relaystate url FAILED the whitelist check, will abort this login attempt" In the network trace I can see a HTTP POST request to /cgi/samlauth to which the NetScaler responds with "500 Internal Server Error". I believe I have already ruled out: Session policy expression (ref https://support.citrix.com/s/article/CTX291268-http11-internal-server-error-43531-when-accessing-citrix-gateway-after-upgrading-to-version-130?language=en_US) SAML Relay State rule, configured according to the docs (ref https://docs.netscaler.com/en-us/citrix-adc/current-release/aaa-tm/authentication-methods/saml-authentication/citrix-adc-saml-sp.html) I have also tried to add the StoreFront Store name here as well changing the rule to "true" and creating a parallel rule which doesn't have the rule defined NetScaler clock synchronization Any ideas?
Kari Ruissalo Posted October 25 Author Posted October 25 The Patternset "ns_aaa_relaystate_param_whitelist" was empty in the customer. Got the problem sorted out with supports assistance. The fix is to add the following: bind policy patset ns_aaa_relaystate_param_whitelist "citrixauthwebviewdone://" -index 1 -charset ASCII bind policy patset ns_aaa_relaystate_param_whitelist "citrixsso://" -index 2 -charset ASCII bind policy patset ns_aaa_relaystate_param_whitelist "citrixng://" -index 3 -charset ASCII
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now