search cancel

OIDC KID is Different Across Policy Servers, JWS Validation is failing


Article ID: 198848


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Federation (SiteMinder) SITEMINDER


Customer has policy stores in two different data centers that do not replicate. The KID used in OIDC configurations does not match for all requests, therefore the application JWS Validation fails intermittently depending on which policy store is invoked for the transaction.



Policy stores participating in a single SSO environment should be replicated so that the XIDs of all objects match.  


Release : 12.8.x



KID is being set to the XID of the signing certificate, however, customer is not using replication between policy stores, so the KID is different depending which policy store is invoked for the transaction.
Siteminder is dealing with this, but it's causing a problem in the application that's attempting to validate the JWS token. It's best to replicate policy stores so object XIDs will always match. Short of this the customer can manually update one of the policy stores (using any LDAP client) so the signing cert XIDs will match between the stores, making the KIDs match and thus avoiding this problem.