This article is intended for customers who have configured their Citrix ADC or Citrix Gateway as SAML IdP (Identity Provider) or SAML SP (Service Provider) or both.

If Citrix ADC or Citrix Gateway appliances are not upgraded to the recommended versions and if the SAML configuration is not configured according to the recommended settings, the Citrix ADC or Citrix Gateway appliances may allow an attacker to hijack a valid user session. Please see https://support.citrix.com/article/CTX297155.

As noted in the security bulletin https://support.citrix.com/article/CTX297155, the following Citrix ADC builds address the vulnerability:

• Citrix ADC and Citrix Gateway 13.0-82.41 and later releases of 13.0
• Citrix ADC and NetScaler Gateway ADC 12.1-62.23 and later releases of 12.1
• Citrix ADC and NetScaler Gateway 11.1-65.20 and later releases of 11.1
• Citrix ADC 12.1-FIPS 12.1-55.238 and later releases of 12.1-FIPS

Citrix strongly recommends that the affected customers install these updates as soon as possible and modify the device’s SAML action and SAML profile configurations according to the following recommended configuration.
 

SAML action

Administrators must configure an expression for relayStateRule in the samlAction command. The expression must contain the list of published domains that the user connects to before being redirected to the authentication virtual server. For example, the expression must contain the domains of the frontend virtual server (VPN, LB, or CS) that use this SAML action for authentication.

Citrix recommends to have a full domain name with trailing '/' in the expression.
Example: https://example.com/

If Citrix ADC or Citrix Gateway is configured as SAML SP, consider the following examples to configure SAML.
Example:

• set samlaction <samlActionName> -relaystateRule "AAA.LOGIN.RELAYSTATE.EQ(\"https://example1.com/\")"

 

• You can add patset if there are multiple domains and multiple patset can be added if there are many SAML actions.

add patset test1
bind patset test1 "https://example1.com/"
bind patset test1 "https://test1.com/"
bind patset test1 "https://10.11.11.112/"

set samlaction <samlActionName> -relaystateRule AAA.LOGIN.RELAYSTATE.CONTAINS_ANY("test1")

• set samlaction <samlActionName> -relaystateRule "AAA.LOGIN.RELAYSTATE.REGEX_MATCH(re#^https://[a-zA-Z0-9]*\.example1\.com/#)"

Points to note

• In the preceding example, example1.com is the service provider URL of the load balancing virtual server.
• Use regex to provide the host details.
• If the Citrix ADC appliance is partitioned, then ensure that you update the configuration on all the individual partitions, including the default.

 

SAML IdP profile

In SAML IdP profile, configure acsURLRule that takes an expression of the list of applicable service provider URLs for this IdP. This expression depends on the SP being used. If Citrix ADC is configured as SP, ACS URL will be https://<SP-domain_name>/cgi/samlauth. Citrix recommends having a full URL in the expression for matching.

If Citrix ADC or Citrix Gateway is configured as SAML IdP, consider the following examples to configure SAML.

Example:

• set samlidPProfile <idpProfileName> -acsUrlRule aaa.login.saml_req_acs_url.REGEX_MATCH(re#^https://example2\.com/cgi/samlauth$#)
  

• You can add patset if there are multiple domains and multiple patset can be added if there are many SAML profiles.

add patset test2
bind patset test2 "https://example2.com/cgi/samlauth"
bind patset test2 "https://test2.com/cgi/samlauth"
bind patset test2 "https://10.12.134.112/cgi/samlauth"

set samlidPProfile <idpProfileName> -acsUrlRule AAA.LOGIN.SAML_REQ_ACS_URL.EQUALS_ANY("test2")

Points to note

• In the preceding example, example2.com, is the service URL of the SP where the SAML assertion is sent.
• If the Citrix ADC appliance is partitioned, then ensure that you update the configuration on all the individual partitions, including the default.