I have a Juniper SA2500 running 6.4.R2
I have configured a resource for the web interface and without SSO all works fine however if i configure SSO the initial Web interface page just keeps reloading.
Using a web application resource.
Nfuse version 5 chosen
Maybe you are using Citrix Embedded client with Java ICA delivery on the SA ?
In this case it would be a known issue:
Known Issues and Limitations in this Release:
The workaround is to change "Embedded client" to Native Client or Client for Java in the Citrix Web Interface configuration: Manage Client Deployment, or choose Non-Java ICA in the SA Resource Profile
Don't think it's that. This occurs before authentication to the webinterface and happens with IE8 and Firefox 3.5.
I think it may be to do with the cookie being set as if i turn off sending the cookie the page doesn't constantly reload anymore. (However the auth doesn't work either and your just presented with the standard auth page)
Using IVE 6.5r2 and Citrix WI 5.1.1 we had to do the following on our test box:
- use the template for WI 5.1
- enable SSO, fill in domain name
- enable "Allow multiple POSTs to this resource"
- add field (Label="State", Name="state",Value="LOGIN", modifiable="not modifiable")
- disable "Send the following data as request headers"
- remove cookie
We got those steps from our Juniper technical support.
I was getting a similar problem - never showed my Citrix applications, just constantly looping trying to load the page. I had the POST variables either in the wrong order, or missing capitalizations (changed both at the same time so no idea which fixed it)
On 6.4R2 these are the settings I have for the initial SSO, but your WI setup may be different. The actual variables you need to post can be found if you do a packet capture of logging on to the webinterface successfully internally - you'll see a POST packet with all the variables you're sending
"deny direct login for this resource" and "Allow multiple POSTs to this resource" are both unticked
Label - Name - Value
User - user - <USER>
Password - password - <PASSWORD>
Domain - domain - yourdomainhere
LoginType - LoginType - Explicit
State - state - LOGIN
I've also found that if we let users log off the WI without logging out of juniper, they get the "click here to log in again" link which gives similar looping. This needs a custom SSO policy with the exact URL as the resource (not the original login URL), and additional POST variables - again, your best sniffing these off a successful attempt internally.
addendum - <USER> and <USERNAME> are not the same thing here. We started with <USERNAME> but it didn't work. <USER> was posting just the user's ID (what we wanted) but <USERNAME> was posting domain\userid which the WI rejected.