OIDC KID is Different Across Policy Servers, JWS Validation is failing

book

Article ID: 198848

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Federation (SiteMinder) SITEMINDER

Issue/Introduction

Customer has policy stores in two different data centers that do not replicate. The KID used in OIDC configurations does not match for all requests, therefore the application JWS Validation fails intermittently depending on which policy store is invoked for the transaction.

 

Cause

Policy stores participating in a single SSO environment should be replicated so that the XIDs of all objects match.  

Environment

Release : 12.8.x

Component : SITEMINDER -POLICY SERVER

Resolution

KID is being set to the XID of the signing certificate, however, customer is not using replication between policy stores, so the KID is different depending which policy store is invoked for the transaction.
Siteminder is dealing with this, but it's causing a problem in the application that's attempting to validate the JWS token. It's best to replicate policy stores so object XIDs will always match. Short of this the customer can manually update one of the policy stores (using any LDAP client) so the signing cert XIDs will match between the stores, making the KIDs match and thus avoiding this problem.