Posted in : NetScaler By Simon Gottschlag

3 years ago

One of the best things about XenMobile and Secure Web is the SSO integration with NetScaler. It usually ”just works”, but I actually got into an issue this time that was kind of interesting.
AAA form fill SSO using a web browser and AAA traffic policies worked without a problem, but when using the VPN traffic policies for Secure Web – the form fill only worked after manually refreshing the page.
After doing some initial troubleshooting and realizing it may be something deeper than just a misconfigured SSO, I decided to do a workaround – which actually works quite well until the problem is solved.
For those interested, it does seem like the NetScaler finds the CSRF token and inserts it – just that it doesn’t work the first time:

My solution was inserting a JavaScript into the page and forcing Secure Web to refresh once – which magically gets the form fill to work:

add rewrite action RWA-RES-REFRESH_ONCE replace_all "HTTP.RES.BODY(9999).SET_TEXT_MODE(IGNORECASE)" "\"<body>\"+\"\\r\\n\"+\n\"<script type=\\\"text/javascript\\\">\"+\"\\r\\n\"+\n\"    if(!window.location.hash) {\"+\"\\r\\n\"+\n\"       window.location = window.location + \'#sso\';\"+\"\\r\\n\"+\n\"       window.location.reload();\"+\"\\r\\n\"+\n\"     }\"+\"\\r\\n\"+\n\"</script>\"+\"\\r\\n\"" -pattern "<body>"
add rewrite policy RWP-RES-REFRESH_ONCE "HTTP.REQ.HEADER(\"Host\").SET_TEXT_MODE(IGNORECASE).EQ(\"site.example.com\") && (HTTP.REQ.URL.PATH.SET_TEXT_MODE(IGNORECASE).EQ(\"/path/to/login\") || HTTP.REQ.URL.PATH.SET_TEXT_MODE(IGNORECASE).EQ(\"/path/to/login/\"))" RWA-RES-REFRESH_ONCE
bind vpn vserver <NSGW vServer used by Secure Web> -policy RWP-RES-REFRESH_ONCE -priority 100 -gotoPriorityExpression NEXT -type RESPONSE

 

Tags :

Add comment

Your comment will be revised by the site if needed.