"SelectedFactor" Api is throwing error in backend and its asking to go for Password_Auth step.

 when using policy with obligations {FIDO:1, PUSH:1}, if the user selects 'FIDO' for /selectFactor API, it asks to register a new FIDO cred even if the user has one already.

Changing the policy to obligation {FIDO:1}, it works fine.

This issue is seen only with the latest patch of drop 9.

Release : Drop 9 

There were changes in Drop 9 Release where additional checks for domain were added for additional security.

AuthHub now check for the host header from client request and compare it with the host that the FIDO creds were registered.

If the domain does not match , AuthHub redirects the user to register again the FIDO creds.

To address this issue, the client host header must match the domain that AuthHb is registered with.

This can be done by either re-deploying AuthHub with the Domain name as used by external clients or create a vanity Ingress FQDN to be used by the API as follows :

*** Action 1 --> set any network Device that is sitting before Ingress  to preserve the Host header of the client when passing request to SSP 

*** Action 2 --> a change is needed also on SSP side to register the external host .

instead of redeploying SSP  with the External host name , you can use the vanity Ingress and add the external FQDN to it.

The steps to add a vanity ingress are listed here --> 

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/vip-authentication-hub/2022-Oct/operating/expose-end-user-operations-on-vanity-ingress.html

**** Action 3 --> once you add the Vanity Ingress to the deployment , you need to make sure to change your URL to have the "common" instead of the default tenant name 

GEThttps://my.vanity.fqdn/common/.well-known/openid-configuration