Multiple vanity host url support for a single tenant in VIP Authentication Hub
search cancel

Multiple vanity host url support for a single tenant in VIP Authentication Hub

book

Article ID: 259270

calendar_today

Updated On:

Products

VIP Authentication Hub

Issue/Introduction

For your external VIP AuthHub urls, the well known openid configuration endpoint requires authentication from the azserver, whereas .net does not. When accessing the external url endpoint from any region i.e. https://authhub.test.customername.com/common/.well-known/openid-configuration you see a json message in the browser:

{

  • "errorCode": "0000003",
  • "errorMessage": "Missing Authorization header"

}

And you see splunk logs from the azserver below:

12/12/22
10:04:54.537 AM

{ [-]
   api: /
 clientIp: #.#.#.#
 clientTxnId: null
 level: error
 msg: Current issuerURL:https://authhub.example.com/common/ is not present in the AT aud claim: [https://authhub.example.net/default/]
 service: azserver
 thread: https-jsse-nio-8085-exec-6
 tid: ###########
 timestamp: 2022-12-12T15:04:54.537568Z
 tname: default
 txnId: #############
 type: log
 userAgent: Apache-HttpClient/4.5.10 (Java/17.0.5)
 userIp: #.#.#.#
}

Why is .com requiring authentication for .com well-known endpoint?

Environment

Release : Oct.05

Cause

This is a product limitation that only single Vanity host url can be configured per tenant.

Resolution

A fix was added in VIP Auth Auth Oct.05 release to address this limitation.

Powered by Wolken Software