OAUTH: " Failed to login the user due to insufficient claims. Please contact your administrator"

OAUTH: " Failed to login the user due to insufficient claims. Please contact your administrator"

book

Article ID: CTX267037

calendar_today

Updated On:

Description

Customer has configured Citrix Gateway as OAuth IDP with Workspace in Cloud and after user authentication is completed, users were getting the error as shown below

" Failed to login the user due to insufficient claims. Please contact your administrator"

The Attributes sent by Citrix Gateway (OAuth IDP) can be seen in /var/log/ns.log.

In the below log snippet, you could see that the Attributes such as ( Name, UPN, CIP and SID, etc )  sent by Citrix Access Gateway (OAuth IDP) are BLANK.

ns.log:

Nov 6 13:55:09 <local0.info> XX.XX.XX.XX 06/11/2019:12:55:09 0-PPE-0 : default AAATM Message 3795 0 : "OAUTHIDP: CC IDTOKEN: user: <test@example.com>'s  claims are: sub:\, name:, upn:, email:, ctx_auth_alias:, cip_domain:, cip_forest: sid:, oid:, amr:["otp"], nonce:637085983001757588.Mjg2NWQ2YWMtZDI5OC00ZjQ4LTk0NDQtNTJlM2I1ZmVlNjBlOGQ0NzQ0OWUtNjZlMi00NjI0LWIzMWQtNTNjYzMzY2VkYzk0, familyname:, givename:, domain: , groups len 0

Resolution

To resolve this issue, please configure LDAP Auth policy on Citrix Gateway Vserver (Which is acting as OAuth IDP).

Please refer the below Citrix Documentation:

https://docs.citrix.com/en-us/tech-zone/learn/tech-briefs/workspace-identity.html  --Refer the below statement under  Citrix Gateway Section
 

Citrix Gateway



In many organizations, users must authenticate against a RADIUS deployment, like DUO, before authenticating to Active Directory, helping to protect Active Directory credentials.

This configuration requires the authentication policy to first validate a RADIUS authentication. If successful, the authentication flow continues to the next authentication factor, which is LDAP authentication.

Regardless of the type of authentication policy configured, once the user successfully validates their identity, Citrix Gateway must respond to the initial Citrix Workspace request with the user’s Active Directory credentials. For Citrix Workspace to complete the authentication process and to generate a list of authorized resources, each Active Directory user account must have the following parameters defined:

  • Email address
  • Display name
  • Common name
  • sAMAccountName
  • User Principal Name
  • Object Identifier (OID)
  • Security Identifier (SID)


 

Problem Cause

Root cause:

It is a configuration issue.

On Citrix Gateway (OAuth IDP),  only RADIUS authentication was configured and no LDAP policy was configured. Hence, Citrix Gateway couldn't send the required Active Directory Credentials to OAuth SP.
 
Powered by Wolken Software