Search
Close this search box.

Azure AD as SAML IdP and Citrix ADC as SAML SP

There are some really good articles on configuring Azure AD as a SAML IdP and a Citrix Netscaler (the product formally known as ADC, formally known as Netscaler, confused?) as a SAML SP.

Rather than reinventing those articles I’ll simply link to the best that I’ve come across, so go show them some love and check those out. You will certainly need those to configure the bulk of your setup.

 

For this article I wanted to cover a configuration step which seems to be missing from these articles, including Citrix’s own article on the subject. That missing configuration step is the optional Logout Url which is configured in the Azure Enterprise Application under the Single sign-on configuration for SAML based Sign-on.

The Feature

Without this url when the Citrix Storefront times out, a user will land on an Azure page telling them to close their browser. If they don’t do this, and simply try and go back to the url of the storefront, the user will authenticate straight through without being prompted for credentials again, and also encountering a message saying “You cannot log on using a smart card.” when Citrix FAS is in the mix. This happens because you haven’t actually cleared down the session on the Netscaler. For this to work correctly the session must be invalidated and the auth process must start again.

The Fix

This can be avoided by adding a poorly documented url by Citrix to the Azure Enterprise Application’s SAML based Sign-on.

So what’s this magic url that’s going to make things work a lot better for me?

Set Logout Url (Optional) to https://fqdn.domain.tld/cgi/logout

After setting this, the user will briefly see the logout please close your browser message before it redirects to https://fqdn.domain.tld/cgi/logout, the saml2 logout request is POST’ed along with this browser redirect causing the Netscaler to clear the session down.

Finally the user will be left on a page from the Netscaler saying you have been logged off and a nice handy button for them to logon again. No closed browsers, no errors, a much better experience all round.

Now, there are cases where this message will come up regardless. If the user closes their tab without closing the browser and opens a new tab, they can get into a state where this message will come up. This is because it didn’t go through the logout process, which clears the cookies set on login. While these cookies are present (in particular CtxsAuthId and CtxsSmartcardAuthenticated) you will still see the message “You cannot log on using a smart card”.

The None Recommend Fix

Citrix do have an article on allowing the user to logon without closing the browser, however this does have security implications of its own. Say a user logs off Citrix, but is still authenticated with the IdP. Then a second user uses the machine, Citrix will use the credentials of the previous user to signin automatically. In this case the second user will have access to the first users Citrix Desktop and Apps, including all their files. Less than ideal.

If you are interested in this setting you can find it documented at https://support.citrix.com/article/CTX227673/please-close-your-browser-to-protect-your-account.

Hopefully this helps.

You may also like

Leave a Reply

Your email address will not be published. Required fields are marked *