SiteMinder with VIP Authentication Hub integration failed due to mismatch of tokenIssuer in the Multi Factor Authentication Scheme
Article ID: 251913
Updated On:
Products
Issue/Introduction
Authentication process failed with HTTP Status 500 - Internal Server Error
Access Gateway's httpd access log shows the following invalid_request message.
GET /affwebservices/public/bctokencontroller?error=invalid_request&error_description=Invalid%20id_token_hint...
The tokenIssuer in the Multi Factor Authentication scheme doesn't match with the one in VIP Authentication Hub Admin UI.
In SiteMinder AdminUI shows a wrong or empty tokenIssuer.
VIP Authentication Hub Admin UI shows the certificate has the correct tokenIssuer.
Environment
Release :
SiteMinder for VIP Authentication Hub build 2824 (12.80.0600.2824
VIP Authentication Hub: ssp-1.0.2942
Cause
SiteMinder failed to update tokenIssuer data due to failure response when call admin/v1/Certs API
Resolution
SiteMinder is calling admin/v1/Certs API to VIP Authentication Hub to get tokenIssuer data when user is updating Multi Factor Authentication scheme, i.e. when setting/selecting the secondary authentication scheme. If this API call failed and user save the Authentication Scheme, tokenIssuer data may mismatch.
We need to understand why admin/v1/Certs API call failed. In one occasion the API call failed due to the root cause is due to missing the following parts of path definition in the vanity ingress.
|admin/v1/Apps.*|admin/v1/AuthPolicies.*|admin/v1/Certs.*|
You can run the following kubectl command to check if admin/v1/Certs is in the path of ingress
kubectl describe ingress <ingress name> -n ssp
e.g.
kubectl describe ingress ssp-ssp-ingress -n ssp
If admin/v1/Certs.* path is missing then you need to update ingress definition yaml file and update your ingress
kubectl apply -f <updated ingress yaml file>
Notes: In production environment this modification may cause down time. Please do test in your lower environment, do backup and execute during maintenance window.
Feedback
