Citrix Cloud (DaaS) Users Getting 500 Error on accounts.cloud.com

[Jeremiah Alger]

Good Morning,

We currently use Citrix DaaS only and use Okta for our multi factor authorization. For the past couple of days, some users are getting a 500 ERROR when Citrix tries to redirect to accounts.cloud.com

 

The only way we can get the users back up and running is to clear cache and cookies, reset the browser, and restart the browser. This is only a temp fix because the issue comes right back if the user logs out of Citrix. The user workflow looks like this:
 go to company.cloud.com -> redirects to company.okta.com -> user auths in -> user clicks on Workspace icon that takes them to company.cloud.com

 

Somewhere in the middle of this redirect, the user gets stuck on accounts.cloud.com with a 500 error and sometimes they passed that error and Workspace loads but there are no Desktops or Published apps available. Has anyone seen this before? There have been no changes to the configuration of Citrix Cloud or Okta, this all started on Friday 3-3-2023. Any help is greatly appreciated. I have tickets open with Citrix and Okta but nothing has resolved the issue so far. 

 

[Jeff Riechers]

What are you using for the logout URL on Okta?  Are you using SAML, or Okta for the configuration in Citrix Cloud?

[Jeremiah Alger]

7 minutes ago, Jeff Riechers1709152667 said:

What are you using for the logout URL on Okta?  Are you using SAML, or Okta for the configuration in Citrix Cloud?

Sign-in redirect URIs -> https://accounts.cloud.com/core/login-okta 
Sign-out redirect URIs -> https://company.cloud.com 
Initiate login URI -> https://accounts.cloud.com/core/login-okta 

We are using OKTA OIDC (OpenID Connect) not SAML

[Tom Burns1709163841]

We are having the same issue; however, the error we get is xenapp.cloud.com redirected you to many times.  This started on 03/09/23.  Today, I could get in after clearing all cookies, and browsing history informatio, closing the browser, relaunching, going to https://citrix.cloud.com,and selecting Manage DaaS.  I was then prompted for my credentials, MFA code, and was able to access DaaS.  

[Jeff Riechers]

2 hours ago, Tom Burns1709163841 said:

We are having the same issue; however, the error we get is xenapp.cloud.com redirected you to many times.  This started on 03/09/23.  Today, I could get in after clearing all cookies, and browsing history informatio, closing the browser, relaunching, going to https://citrix.cloud.com,and selecting Manage DaaS.  I was then prompted for my credentials, MFA code, and was able to access DaaS.  

 

This is a Citrix side issue, some of my team are affected as well.  They are working on it.

[Callan Halls-Palmer1709163633]

I have exactly the same issue but we are integrating with Azure AD (with Duo 2FA via Conditional Access) and FAS for SSO. 

[Mike_B]

I am in the middle of a piece of work to get my company authenticating via Okta SAML as well.   I have really only just started on it, but I have noticed that if we point a thin client at the cloud login page when it's configured for Okta, it works if you sign in immediately but not if you leave it a minute or two.  It's like something has a very short timeout on the Citrix side.

 

Funnily enough I came across this thread while trying to see if there was a timeout setting somewhere, because our thin clients will sit quite happily on a username/password screen for days, and still login fine when someone sits down to use them.  But when it's configured for Okta, that doesn't work and users get the same message screen as the OP.

[Mike_B]

Has anyone got any updates on this?   Ignoring my post above about thin clients, we are having the same issue as the OP now.    Sign in at the Okta screen seems to work, but we just get error 500 on the next page as it hands back to Citrix Cloud.   That is regardless of client type, it is the same on laptop or Wyse thin client.

 

Very frustrating, especially as we recently got approval from Security here to implement FAS, which I have built but now can't test.

[Jeff Riechers]

That sounds like an issue with the callback URL on Okta.  If the same issue happens in Windows Browsers, Windows Workspace, and Thin client Workspace then it is probably something with that call back url.

 

Are you initiating through cloud.com address, or are you going straight to an okta url first.

[Mike_B]

4 hours ago, Jeff Riechers1709152667 said:

That sounds like an issue with the callback URL on Okta.  If the same issue happens in Windows Browsers, Windows Workspace, and Thin client Workspace then it is probably something with that call back url.

 

Are you initiating through cloud.com address, or are you going straight to an okta url first.

 

Could you just clarify what you mean by 'callback URL'?   I have re-read the implentation docs and that phrase never appears.  You mean the signout URI?

 

Initiating via cloud.com.   My process is normal, I think...  I  go to xxxxxx.cloud.com, it redirects to our Okta page for signin and MFA, then goes back to cloud.com.   Except it never properly gets there, we just get the error page.

 

I spoke with support today and they have taken some log files and engineering are looking at it.  Slightly concerningly, the guy did say they'd seen this before.

[Jeff Riechers]

I unfortunately can't jump into my okta environment, but I could check my Azure AD settings though so it should be close.

 

You are looking at the reply URL in the SAML application. For Citrix cloud it is https://saml.cloud.com/saml/acs if you are doing SAML.

 

What is the URL that is showing on the browser that throws the 500 error?

[Mike_B]

Am pretty sure it's configured correctly - I read the documentation again, and had my Okta admin screenshot what is set in Okta, and it all lines up.

 

When the error appears, the URL showing is https://accounts.cloud.com/core/login-okta

[Jeff Riechers]

Ok, the intermittence of this I am probably going to put down to something on the Citrix side.    Unfortunately we don't get much info on this on the outside world, you are stuck working with Citrix support directly.

[Jeremiah Alger]

On 7/6/2023 at 7:54 AM, Jeff Riechers1709152667 said:

Ok, the intermittence of this I am probably going to put down to something on the Citrix side.    Unfortunately we don't get much info on this on the outside world, you are stuck working with Citrix support directly.

That is what it ended up being for us as well. It was on the Citrix side and cleared itself up after about a week of seeing this.

[Jeremiah Alger]

On 7/6/2023 at 6:54 AM, Michael Burnstead1709159565 said:

Am pretty sure it's configured correctly - I read the documentation again, and had my Okta admin screenshot what is set in Okta, and it all lines up.

 

When the error appears, the URL showing is https://accounts.cloud.com/core/login-okta

Best thing to do is make Citrix aware of the issue you are having, but most likely this is on their end. Like I said in the previous reply, it cleared itself up and was on their end.