Vincent Sprague Posted July 20, 2017 Share Posted July 20, 2017 I am attempting to setup Xenapp 7.12 and a Netscaler Gateway with SAML SSO authentication between two separate Forests. I have AD FS setup between the two Forests and I have Citrix installed and configured with the Netscaler Gateway. When I browse to the NetScaler Gateway URL it redirects me to the ADFS landing page where I select which domain I want to login to. When I make a selection it then sends me back to the Netscaler Gateway /cgi/samlauth and says "Malformed Assertion sent to Netscaler" and I am not sure where the issue is or what I need to do to fix it. I spent the afternoon working on this and made little progress. I'm hoping someone can point me in the right direction. Link to comment Share on other sites More sharing options...
CarlStalhood Posted July 20, 2017 Share Posted July 20, 2017 It's usually due to incorrect ADFS certificate imported to NetScaler. Or, you didn't change NetScaler SAML Action to SHA-256. Link to comment Share on other sites More sharing options...
Vincent Sprague Posted July 20, 2017 Author Share Posted July 20, 2017 I checked the Netscaler and the SAML server Signature Algorithm is set to use RSA-SHA256 and the Digest Method is set to SHA256 as well. I have been leaning towards a certificate issue but I'm not sure what the issue is. I have two forests setup to test this. Essentially an "exterior.local" domain and "internal.local" domain. I set the adfs servers to use adfs.internal.local and adfs.exterior.local respectively. I created certificates for those names in their respective CA's. Citrix is installed on the internal.local domain so I used the adfs.internal.local certificate for the IDP Certificate. I tried switching them to the adfs.exterior.local certificate but it just made the situation worse. Do the IDP certificates need to have some special features set for them to work? When I created them I generated essentially basic web server certificates out of the CA with a single name. I've thought about switching to a wildcard cert but I'm not sure if the name is the issue or not. Link to comment Share on other sites More sharing options...
Vincent Sprague Posted July 21, 2017 Author Share Posted July 21, 2017 I ended up rebuilding my ADFS setup from scratch and after making a few changes to the Netscaler config I'm getting further along than I was, still not 100% but getting closer. 1 Link to comment Share on other sites More sharing options...
bartek Cieszewski Posted July 6, 2021 Share Posted July 6, 2021 Whoever appears here in 2021 and beyond: The reason might also be time difference between IDP and netscaler. restarting NTP to sync it can help: disable ntp sync enable ntp sync Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now