NetScaler – SSL VPN is breaking SSO to OAuth-based WebApps

Reading Time: < 1 minute

Table of Contents

Overview

Quick post about an OAuth-Issue with Citrix ADC’s SSL VPN. There is a missing hint in CTX225084 as this article is only refering to SharePoint deployments. OAuth can make use of the bearer authorization token. If users are trying to access WebApps via Citrix Gateway Plugin (SSL VPN) or Content Switching with enabled AAA, the ADC is removing the OAuth authorization header and this can cause SSO failing and access to specific resources of your WebApps stop working.

Solution

Create below traffic policy and bind it to the Citrix Gateway virtual server with a lower priority than possible other bound policies.

#for SSLVPN Usage
add vpn trafficAction traf_act_SSLVPN_AuthHeader_Bearer http -SSO OFF
add vpn trafficPolicy traf_pol_SSLVPN_AuthHeader_Bearer "HTTP.REQ.HEADER(\"Authorization\").SET_TEXT_MODE(IGNORECASE).CONTAINS(\"Bearer\")" traf_act_SSLVPN_AuthHeader_Bearer
bind vpn vserver vpn.customer.com_NSGW_VPN -policy traf_pol_SSLVPN_AuthHeader_Bearer -priority 90 -gotoPriorityExpression END -type REQUEST

#for Content Switching / LB vServer / AAA Usage
add tm trafficAction TraffPol_No-SSO -SSO OFF -persistentCookie OFF -InitiateLogout OFF -kcdAccount NONE
add tm trafficPolicy TraffPolicy_No-SSO "HTTP.REQ.HEADER(\"Authorization\").SET_TEXT_MODE(IGNORECASE).CONTAINS(\"Bearer\")" TraffPol_No-SSO
bind lb vserver YourLBvServerName -policyName TraffPolicy_No-SSO -priority 90 -gotoPriorityExpression END -type REQUEST

I hope this is helping others, struggling with customer-built OAuth WebApps with Citrix ADC’s SSL VPN.

2 comments

Leave a Reply

Your email address will not be published. Required fields are marked *