For your external VIP AuthHub urls, the well known openid configuration endpoint requires authentication from the azserver, whereas .net does not. When accessing the external url endpoint from any region i.e. https://authhub.test.customername.com/common/.well-known/openid-configuration you see a json message in the browser:
{
"errorCode": "0000003",
"errorMessage": "Missing Authorization header"
}
And you see splunk logs from the azserver below:
12/12/22 10:04:54.537 AM |
{ [-] |
Why is .com requiring authentication for .com well-known endpoint?
Release : Oct.05
This is a product limitation that only single Vanity host url can be configured per tenant.
A fix was added in VIP Auth Auth Oct.05 release to address this limitation.