I followed the Carl's blog
https://www.carlstalhood.com/citrix-federated-authentication-service-saml
Though instead of doing SAML with Azure/Entra we're doing SAML with Duo.
The login to the URL going to the Citrix vServer on the netscaler works, and we're able to launch the VDA's but the VDA's then prompt for a username and password.
I've already checked the Duo KB's that Carl linked and ensured the EnableSmartCards reg is set to 1, WrapSmartCards is set to 0, and ProvidersWhitelist has the CitrixMirrorCredentialProvider GUID with brackets populated. To rule it out I even uninstalled Duo for windows logon at one point to test.
On the CA I see FAS is requesting the smartcard certs, and confirmed the various event ID's are showing up with the sole exception being 204.
The Netscaler is on 13.0-92.21_nc_64
The FAS, StoreFront, Delivery Controller, and the VDA I'm focusing my testing on are on 2311.
The only error I'm seeing is the attached image.
I'm not sure which log I need to look at since that might point me in the right direction.