Table of Contents
Overview
Quick post about an OAuth-Issue with Citrix ADC’s SSL VPN. There is a missing hint in CTX225084 as this article is only refering to SharePoint deployments. OAuth can make use of the bearer authorization token. If users are trying to access WebApps via Citrix Gateway Plugin (SSL VPN) or Content Switching with enabled AAA, the ADC is removing the OAuth authorization header and this can cause SSO failing and access to specific resources of your WebApps stop working.
Solution
Create below traffic policy and bind it to the Citrix Gateway virtual server with a lower priority than possible other bound policies.
#for SSLVPN Usage add vpn trafficAction traf_act_SSLVPN_AuthHeader_Bearer http -SSO OFF add vpn trafficPolicy traf_pol_SSLVPN_AuthHeader_Bearer "HTTP.REQ.HEADER(\"Authorization\").SET_TEXT_MODE(IGNORECASE).CONTAINS(\"Bearer\")" traf_act_SSLVPN_AuthHeader_Bearer bind vpn vserver vpn.customer.com_NSGW_VPN -policy traf_pol_SSLVPN_AuthHeader_Bearer -priority 90 -gotoPriorityExpression END -type REQUEST #for Content Switching / LB vServer / AAA Usage add tm trafficAction TraffPol_No-SSO -SSO OFF -persistentCookie OFF -InitiateLogout OFF -kcdAccount NONE add tm trafficPolicy TraffPolicy_No-SSO "HTTP.REQ.HEADER(\"Authorization\").SET_TEXT_MODE(IGNORECASE).CONTAINS(\"Bearer\")" TraffPol_No-SSO bind lb vserver YourLBvServerName -policyName TraffPolicy_No-SSO -priority 90 -gotoPriorityExpression END -type REQUEST
I hope this is helping others, struggling with customer-built OAuth WebApps with Citrix ADC’s SSL VPN.
Thanks very much for this post!