SAML Single Logout with ICA Proxy Mode on NetScaler

In ICA proxy mode, when user logs out from StoreFront the logout does not trigger on NetScaler Gateway or on the IDP. One of the following behaviors will be observed post logout.

1) If the page is refreshed or new tab is opened with NetScaler Gateway url in the same browser session or if “Continue where you left off’ option is enabled on Chrome browser, StoreFront homepage will appear again without any re-authentication.


2) Displays the following message: “Cannot log on using smart card Please close browser to protect your account”

StoreFront when FAS is used, by default prompts Displays the following message after logout: “Cannot log on using smart card” “Please close browser to protect your account

User-added image

There are a few ways to make this message go away but that does not solve the actual problem of the NetScaler Gateway and IDP sessions not getting logged out. From a security standpoint it is not recommended to go for such work-arounds.


  • No Related Posts

Leave a Reply