search cancel

Authentication Hub error - There are no obligations to request, returning AUTH_DENIED

book

Article ID: 255931

calendar_today

Updated On:

Products

VIP Authentication Hub

Issue/Introduction

So we are getting a weird error when attempting to login via SiteMinder. Sometimes it works in Chrome, fails in Edge, or works in Edge and fails in Chrome

What does "There are no obligations to request, returning AUTH_DENIED" mean?

12/2/22
1:59:48.320 PM
{ [-]
   api/auth/v1/authenticate
   appId7cb1c508-84c0-4d33-9198-0800baccabe5
   appNameSiteminder QA YLD and PL1
   auth-mgr-auth-ext-aal:
   auth-mgr-auth-ext-acr:
   auth-mgr-auth-ext-amr:
   auth-mgr-auth-ext-appNameSiteminder QA YLD and PL1
   auth-mgr-auth-ext-appURL:
   auth-mgr-auth-ext-deviceTypeweb
   auth-mgr-auth-ext-policyName[SiteMinder ]
   auth-mgr-auth-ext-sid:
   auth-mgr-auth-ext-userAgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.62
   clientId289ddd6a-2ade-42cf-8b27-81f9ea0b57b1
   clientIp10.246.21.118
   clientTidac0f0bc1-f4ed-46b5-b118-ad7463f3438d
   clientTxnId6c4f7361-968c-44ce-82ff-c4f315b190c5
   effectiveClientId289ddd6a-2ade-42cf-8b27-81f9ea0b57b1
   effectiveClientTidac0f0bc1-f4ed-46b5-b118-ad7463f3438d
   eventIdauth-mgr.auth.failure
   flowStateIdnull
   geo.city_nameUNKNOWN
   geo.country_nameUNKNOWN
   geo.location{ [+]
   }

   geo.state_nameUNKNOWN
   guid133b424d-a1be-41fa-9ad4-91b537994856
   httpMethodPOST
   msgAUTH DENIED
   relVersion1.0
   requestedUserIpToBeAuditedByApp:
   responseCode200 OK
   serviceauthmgr
   sid
   sub7fd0cf71-3feb-40e9-81a8-93b443b712c3
   subTypeUSER
   tidac0f0bc1-f4ed-46b5-b118-ad7463f3438d
   timestamp2022-12-02T18:59:48.319682Z
   tnamedefault
   txnId3b0b7e5a-577b-4430-8215-c6dfcc7af27d
   typeaudit
   userAgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.62
   userDNuid=XBBLPLM,cn=People,ou=Internal,o=mfc
   userGuid
   userIdpGuid911914d4-4509-43d0-bcb1-248a8cd5b0ef
   userIp10.246.21.118
   userLoginIdXBB1LPLM
   userLoginIdAttributeMappingNameuser_loginid
   userRiskLevel:
   userRiskScore0
   userUniversalIdXBB1LPLM

}
 
  •  
  12/2/22
1:59:48.299 PM
{ [-]
   api/auth/v1/authenticate
   appId7cb1c508-84c0-4d33-9198-0800baccabe5
   appNameSiteminder QA YLD and PL1
   clientId0b548cfe-ea64-461e-98ce-cd436669b29d
   clientIp10.246.21.118
   clientTidac0f0bc1-f4ed-46b5-b118-ad7463f3438d
   clientTxnId6c4f7361-968c-44ce-82ff-c4f315b190c5
   flowStateIdnull
   httpMethodPOST
   levelinfo
   msgThere are no obligations to request, returning AUTH_DENIED
   relVersion1.0
   requestedUserIpToBeAuditedByAppnull
   serviceauthmgr
   sid
   subnull
   subTypeUSER
   threadhttps-jsse-nio-8086-exec-9
   tidac0f0bc1-f4ed-46b5-b118-ad7463f3438d
   timestamp2022-12-02T18:59:48.299798Z
   tnamedefault
   txnId3b0b7e5a-577b-4430-8215-c6dfcc7af27d
   typelog
   userAgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.62
   userGuid
   userIp10.246.21.118
   userLoginIdXBB1LPLM
   userRiskLevel
   userRiskScore0
   userUniversalId

}
 
Show as raw text
     
     
     
     

Environment

Release : Oct.02 Release

Resolution

msg: Inline enrollment is disabled, checking for available obligations
msg: There are no obligations to request, returning AUTH_DENIED

is coming in logs because that the auth policy is requiring a factor, but the user is not enrolled with that factor, or the request does not match with any policies. We will require the export of the policies to analyze which factor is required by the policy.