User not able to login when using OpenID with On-Prem AD FS

Solution Verified - Updated -

Environment

  • Red Hat OpenShift Service on AWS (ROSA) 4.x

Issue

  • The claims in the oauth do not match the ones configured in the OIDC AD FS.

Resolution

  • The claims configured in OIDCand in the oauth config need to match.

Root Cause

  • The claims in the oauth do not match the ones configured in the OIDC AD FS.

Diagnostic Steps

  • When an user tries to login the following error is observed in the authentication pods:
2023-08-23T11:06:10.165336729Z E0823 11:06:10.165119       1
errorpage.go:28] AuthenticationError: Requested parameter not
sent2023-08-23T11:06:17.836839630Z E0823 11:06:17.836785       1
errorpage.go:28] AuthenticationError: Requested parameter not sent
  1. Verify the claims in the aouth cluster:
$ oc get oauth cluster -o yaml
*
*
*
mappingMethod: claim
    name: OpenID-ADFS
    openID:
      ca:
        name: caXXXXXXXXXXXXX
      claims:
        email:
        - email
        name:
        - name
        preferredUsername:
        - dev
*
*
*
  1. Verify the claims configured/supported in the AD FS side:
https://<FQDN>/adfs/.well-known/openid-configuration
*
*
*
"claims_supported": ["aud",
"iss",
"iat",
"exp",
"auth_time",
"nonce",
"at_hash",
"c_hash",
"sub",
"upn",
"unique_name",
"pwd_url",
"pwd_exp",
"mfa_auth_time",
"sid"
*
*
*

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments