Hi everyone,

I've stumbled across an issue where NetScaler is used as IdP for Citrix DaaS (Adaptive Auth or Citrix Gateway used as Workspace Auth).

The issue exists only on iOS when using Safari (18.1) or Google Chrome App. With Firefox or MS Edge App it's working fine - also when using the native Workspace App or any other Clients (Windows, Mac,...) there are no issues.

 

Issue description:

Browsing to customer.cloud.com -> Redirect to NetScaler AAA auth.customer.com -> Authenticating with LDAPS and RADIUS (Azure MFA NPS) -> Accepting MFA Prompt from MS-Authenticator App -> It's stuck and never redirecting back to customer.cloud.com with SSO. When refreshing the page, you can re-enter the credentials but no difference.

So it looks like this and it's stuck saying "Processing your request" but will never redirect back to the customer.cloud.com page. On the Logon Button the circle is running: 





I'm sure this was working fine months ago, I'm thinking about Safari Update / Version or NetScaler Build (14.1). Logs from NetScaler isn't saying anything, it just stops after the last nFactor policy, before creating the OAuth IdP Token and sending back to Citrix DaaS - which would be the last step getting back to DaaS.

When I'm disabling MFA for my User, so just sign on with UPN + LDAPS, the issue is gone in both Apps (Safari and Chrome) - it feels like after accepting the MS-Authenticator MFA-Prompt, there is a missing "push" from the MS App to the Browser, saying "MFA done, now go on please". I'm just wondering why only these two Apps on iOS where any other Clients / Browsers are working fine with that.

Hint: Switching to Entra ID without NPS isn't an option (for now)

Anyone able to reproduce or ideas for troubleshooting that further?

Thanks and Best Regards

Julian

It looks like the issue is gone with iOS 18.2 (With Safari 18.2 and latest Chrome App Version 131.0.6778.134)