Authentication Hub error "There are no obligations to request, returning AUTH

Products

VIP Authentication Hub

Issue/Introduction

You get an error when attempting to login via SiteMinder. Sometimes it works in Chrome, fails in Edge, or works in Edge and fails in Chrome.

What does "There are no obligations to request, returning AUTH_DENIED" mean?

12/2/22
1:59:48.320 PM

{ [-]
   api: /auth/v1/authenticate
   appId: ########################
   appName: Siteminder QA YLD and PL1
   auth-mgr-auth-ext-aal:
   auth-mgr-auth-ext-acr:
   auth-mgr-auth-ext-amr:
   auth-mgr-auth-ext-appName: Siteminder QA YLD and PL1
   auth-mgr-auth-ext-appURL:
   auth-mgr-auth-ext-deviceType: web
   auth-mgr-auth-ext-policyName: [SiteMinder ]
   auth-mgr-auth-ext-sid:

   auth-mgr-auth-ext-userAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.62

   clientId: ########################
   clientIp: 10.246.21.118
   clientTid: ########################
   clientTxnId: ########################
   effectiveClientId: ########################
   effectiveClientTid: ########################
   eventId: auth-mgr.auth.failure
   flowStateId: null
   geo.city_name: UNKNOWN
   geo.country_name: UNKNOWN
   geo.location: { [+]
   }
   geo.state_name: UNKNOWN
   guid: ########################
   httpMethod: POST
   msg: AUTH DENIED
   relVersion: 1.0
   requestedUserIpToBeAuditedByApp:
   responseCode: 200 OK
   service: authmgr
   sid:
   sub: ########################
   subType: USER
   tid: ########################
   timestamp: 2022-12-02T18:59:48.319682Z
   tname: default
   txnId: ########################
   type: audit

   userAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.62

   userDN: uid=example,cn=People,ou=Internal,o=###
   userGuid:
   userIdpGuid:########################
   userIp: 10.246.21.118
   userLoginId: example
   userLoginIdAttributeMappingName: user_loginid
   userRiskLevel:
   userRiskScore: 0
   userUniversalId: example
}

12/2/22
1:59:48.299 PM

{ [-]
   api: /auth/v1/authenticate
   appId:########################
   appName: Siteminder QA YLD and PL1
   clientId: ########################
   clientIp: 10.246.21.118
   clientTid: ########################
   clientTxnId: ########################
   flowStateId: null
   httpMethod: POST
   level: info
   msg: There are no obligations to request, returning AUTH_DENIED
   relVersion: 1.0
   requestedUserIpToBeAuditedByApp: null
   service: authmgr
   sid:
   sub: null
   subType: USER
   thread: https-jsse-nio-8086-exec-9
   tid: ########################
   timestamp: 2022-12-02T18:59:48.299798Z
   tname: default
   txnId: ########################
   type: log

   userAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.62

   userGuid:
   userIp: 10.246.21.118
   userLoginId: example
   userRiskLevel:
   userRiskScore: 0
   userUniversalId:
}

Environment

Release : Oct.02 Release

Resolution

The messages:

msg: Inline enrollment is disabled, checking for available obligations
msg: There are no obligations to request, returning AUTH_DENIED

are in the logs because the auth policy is requiring a factor, but the user is not enrolled with that factor, or the request does not match with any policies. We will require the export of the policies to analyze which factor is required by the policy.