Users may experience intermittent issues during the SAML configuration process on Citrix Gateway. This can result in unpredictable behavior, with some users successfully accessing the SAML login while others encountering an "Internal server error 43524" message.

Workaround: To temporarily address the issue, follow the steps below:

1. Access the shell command-line interface.

2. Run the following command:

   nsapimgr_wr.sh -ys call=ns_aaa_saml_disable_context

   This command disables the deserialized context for SAML, allowing testing and troubleshooting without disrupting authenticated users.

   Note: Apply any configuration changes after business hours to minimize potential impact.

3. If the workaround proves successful, you can make the configuration persistent to survive device reboots. Execute the command:

   echo "nsapimgr_wr.sh -ys call=ns_aaa_saml_disable_context" >> /nsconfig/rc.netscaler

   This ensures that the SAML context remains disabled even after a device reboot.

Reverting the Configuration: If the workaround does not provide the expected resolution or if you need to re-enable the SAML context, follow these steps:

1. Access the shell command-line interface.
2. Run the following command:
   nsapimgr_wr.sh -ys call=ns_aaa_saml_enable_context
   This command enables the deserialized context for SAML, restoring the default behavior.

---

Problem Cause

Possible causes for the intermittent behavior could include but are not limited to:

• Configuration conflicts: There may be conflicts or misconfigurations in the SAML configuration settings on the Citrix Gateway.
• Software or firmware issues: There might be software defects or compatibility issues within the Citrix Gateway software or firmware.
• Networking or connectivity problems: Issues with network connectivity or interruptions in communication between the Citrix Gateway and the SAML Identity Provider.
• Bug which was fixed in Citrix Gateway firmware versions NS13.0.89.x and NS13.1.35.x. This bug would cause logs showing "SAML deserialize error: failed to extract saml action or failed context"
• By Design due to a timeout expiring due to users lingering on login page. This will cause logs showing "deserialize aaa_info, timestamp verification failed"

It is recommended to consult the Citrix documentation, reach out to Citrix support, or involve your system administrator to further investigate and diagnose the specific cause of the intermittent behavior in your Citrix Gateway's SAML configuration. They will be able to provide more accurate insights and assistance based on the specific setup and environment in use.

This article provides a temporary workaround to address intermittent behavior in the SAML configuration on Citrix Gateway. The workaround involves disabling the deserialized context for SAML using a command-line interface. It also offers steps to make the configuration persistent and mentions the expected fix in future firmware versions.