SecureAuth IdP Version Affected: 9.1
Description: When using a Web Service (Multi-Datastore) realm to pass authentication into a realm integrated with Citrix NetScaler (SAML), you may receive the Citrix error "Cannot complete your request" while accessing the realm. This error is caused when the Citrix NetScaler resides on a different subdomain then the FBA SSO token was generated from. While the realm may have worked in prior SecureAuth versions, significant changes were made to the way tokens are handled in SecureAuth 9.1.
Cause: The FBA SSO token is rejected as the domain it is generated from is different than the one it as sent to (i.e. login.secureauth.com, citrixportal.secureauth.com)
Resolution: Add ".yourdomain.com" in the Forms Authentication section of the Post Authentication tab on the Citrix NetScaler integrated realm:
SecureAuth Knowledge Base Articles provide information based on specific use cases and may not apply to all appliances or configurations. Be advised that these instructions could cause harm to the environment if not followed correctly or if they do not apply to the current use case.
Customers are responsible for their own due diligence prior to utilizing this information and agree that SecureAuth is not liable for any issues caused by misconfiguration directly or indirectly related to SecureAuth products.