Error: OIDC User unknown is not authenticated by Policy Server in OpenID Connect
search cancel

Error: OIDC User unknown is not authenticated by Policy Server in OpenID Connect

book

Article ID: 136928

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On SITEMINDER

Issue/Introduction


When running a CA Access Gateway (SPS) and when user enters credentials for OpenID Authentication Scheme, the request fails at the Policy Server level, and CA Access Gateway (SPS) reports the error:

    [08/29/2019][12:51:29][19184][15608][][AuthenticateUser][User 'unknown' is not authenticated by Policy Server.]
 

Environment

 

Policy Server 12.8
CA Access Gateway (SPS) 12.8

 

Cause


From the traces, the problem shows that the URL defined in the backend Provider for OIDC Connect in the openid.fcc file, which is passed to the Policy Server:

sps-trace.log:

  [09/12/2019][11:59:54][11876][18608][][AuthenticateUser][User 'unknown' is not authenticated by Policy Server.]

smtracedefault.log:

  [09/12/2019][11:59:50.557][11:59:50][18484][2004][Sm_Auth_Message.cpp:780][CSm_Auth_Message::AuthenticateUser][][][/Openidtest/test.html][][][][][][][][][][][][][][][][][][Authenticating user.]

  [...]

  [09/12/2019][11:59:54.631][11:59:54][18484][2004][SmAuthUser.cpp:775][ServerTrace][][][][][][][][][][][][][][][][][][][][Discovery failed for the identifier https://mybackendserver.example.com/auth/realms/bpcode/protocol/openid-connect/auth?client_id=oidctest

  [...]

  ][SMAuthOpe nID:preAuthenticate: Discovery failed for the identifier https://mybackendserver.example.com/auth/realms/bpcode/protocol/openid-connect/auth?client_id=oidctest

 

Resolution


When the backend Provider is an OpenID Connect (OIDC), the OpenID Authentication Scheme shouldn't be in use.

Configure Siteminder as OIDC Client and configure a Federation Journey with JWT Authentication Scheme on the Siteminder side (1)(2).

 

Additional Information