CITRIX GATEWAY: ERROR „RELAY STATE IN RESPONSE DOES NOT MATCH WITH RULE IN ACTION
With the latest Citrix ADC firmware a feature was implemented to validate the relay state of an incoming SAML request at Citrix ADC. In order to mitigate the potential risk from CVE 2020-8300, customers should implement this check after upgrading the firmware to 13.0-82.42 / 12.1-62.25, as recommended in https://support.citrix.com/article/CTX316577
This is working fine, as long as a user browses the main URL, like https://gateway.example.com
From the field we know, a lot of people have bookmarks and want to use them to re-login. Since the steps from the article above are strictly checking for the Relay state https://gateway.example.com/, it would not work if the bookmark links to https://gateway.example.com/Citrix/SAMLweb or some other deep-links, I guess. You will receive this error message:
Citrix confirms the behavior in https://support.citrix.com/article/CTX319685 After some research and analyzing the SAML relay state (with SAML panel for Chrome), I extracted the relay state from the response and extracted those with https://www.base64decode.org/
Just copy the content of relaystate and copy it to decode input field:
Here we can see there is nothing to identify the hostname in the encoded content.
From this point, we have to extend the ruleset, with the following:
AAA.LOGIN.RELAYSTATE.EQ("https://gateway.example.com/")
|| (AAA.LOGIN.RELAYSTATE.LENGTH.EQ(0) && HTTP.REQ.HOSTNAME.EQ("gateway.example.com"))
With the second part of the expression you can ensure, that the relaystate is empty (length = 0), but the requested hostname is equal to the expected relay. From a security perspective this should meet everything to mitigate the vulnerability CVE 2020-8300
Marco Klose works as a Technical Consultant, Architect and CTO focused on Application & Desktop virtualization as well as application delivery with the Citrix product portfolio. He is specialized in Citrix virtualization, Citrix networking and Microsoft products. He has +10 years experience and holds the latest Citrix certifications and is member of the Citrix Partner Expert Council EMEA (PTEC). Since 2021 he is also a Citrix Technology Advocate (CTA).