Citrix Gateway fails to logout SAML (redirect) from IDP
Article ID: CTX239178
Updated On:
Description
Scenario:-
Citrix Gateway integration with StoreFront
Gateway VIP has SAML policy bound
Microsoft acting as SAML IDP
Redirect logout binding configured on the SAML settings on the Citrix ADC which are working fine as the sessions are getting cleared on the IDP.
But the user session is not cleared on Gateway -- "show aaa session"
- When the user clicks on log off button, we could see that the user is redirected to the IDP logoff URL and the session on the IDP gets cleared
- In response to this, IDP sends the logout response
- We can see the client machine sending a GET request to the NSG URL with the SAML response and the Full request URI Looks like :
- Now instead of considering this as a SAML logout response, NS forwards this request to the StoreFront server and we get a 404
- if we check the user session using “show aaa session” , it still shows up and is not cleared.
Resolution
Issue will be fixed in upcoming release 12.1.50.x
Problem Cause
Issue 0717227Issue/Introduction
Scenario: MS acting as IDP, ADC acting as SP, when the user clicks on logout on Storefront the session remains active on gateway and SAML (redirect fails to log out session. So if the user again(after logout) accesses the StoreFront it is allowed through without authentication
Was this article helpful?
Yes
No
Powered by
