SAML Assertion verification fails with Multiple SPs and NetScaler as IDP
Article ID: CTX230267
Updated On:
Description
With multiple SPs and NetScaler as IDP, SAML Assertion verification failed error seen on browser for all the SPs except one
Resolution
From GUI, it is not possible to change the gotopriorityExpression when adding a SAML IDP Policy.
So, the solution is to remove the SAML IDP Policy binding and then add the same policy again from CLI prompt with gotopriorityExpression NEXT.
CLI:
bind authentication vserver Saml-IDP-Vserver -policy auth_pol_SAML -priority 90 -gotoPriorityExpression NEXT
This prevents the subsequent SP Policies from being evaluated except the one with the highest priority.
So, the solution is to remove the SAML IDP Policy binding and then add the same policy again from CLI prompt with gotopriorityExpression NEXT.
CLI:
bind authentication vserver Saml-IDP-Vserver -policy auth_pol_SAML -priority 90 -gotoPriorityExpression NEXT
Problem Cause
When multiple SAML IDP Policies are bound to AAA VIP (One for each SP and expressions as true) and this binding is done from GUI the policy binding is done with "-gotopriorityExpression END".This prevents the subsequent SP Policies from being evaluated except the one with the highest priority.
Additional Information
Citrix Documentation - NetScaler as a SAML IdP
Citrix Documentation - SAML SSO to multiple SPs through Netscaler configured as IDP using ServiceProviderID Approach
Citrix Documentation - SAML SSO to multiple SPs through Netscaler configured as IDP using ServiceProviderID Approach
Was this article helpful?
Yes
No
Powered by
