Multiple vanity host url support for a single tenant in VIP Authentication Hub

search cancel

Multiple vanity host url support for a single tenant in VIP Authentication Hub

book

Article ID: 259270

calendar_today

Updated On:

Products

VIP Authentication Hub

Issue/Introduction

For our external VIP AuthHub urls, the well known openid configuration endpoint requires authentication from the azserver, whereas .net does not. When accessing the external url endpoint from any region i.e. https://authhub.test.customername.com/common/.well-known/openid-configuration we see a json message in the browser

{

"errorCode": "0000003",
"errorMessage": "Missing Authorization header"

}

And we see splunk logs from the azserver

12/12/22
10:04:54.537 AM

{ [-]
api: /
clientIp: x.x.x.x
clientTxnId: null
level: error
msg: Current issuerURL:https://authhub.customername.com/common/ is not present in the AT aud claim: [https://authhub.customername.net/default/]
service: azserver
thread: https-jsse-nio-8085-exec-6
tid: ac0f0bc1-f4ed-46b5-b118-ad7463f3438d
timestamp: 2022-12-12T15:04:54.537568Z
tname: default
txnId: c239d0a9-eff9-4613-8d99-0eb80d6e994e
type: log
userAgent: Apache-HttpClient/4.5.10 (Java/17.0.5)
userIp: x.x.x.x
}

Basically we have no idea why .com is requiring authentication for .com well-known endpoint.

Environment

Release : Oct.05

Resolution

This was a product limitation that only single Vanity host url can be configured per tenant but customer had a requirement to have more than one configured for the single tenant. The fix was added in VIP Auth Auth Oct.05 release to address this limitation. Here are the details for the release.

VIP AuthHub Oct.05 Release Notes

Feedback

thumb_up Yes

thumb_down No