Authentication Policy creation failed with missing principal condition error
search cancel

Authentication Policy creation failed with missing principal condition error

book

Article ID: 273559

calendar_today

Updated On:

Products

VIP Authentication Hub

Issue/Introduction

Creating Authentication Policy on new VIP AuthHub 2.1.4 failed with below error.

>> '{"errorCode":"8800308","errorMessage":"Missing principal condition"}'

The AuthHub 2.1.4 environment is freshly deployed. We run curl command similar to the following

curl --ciphers ALL -sk --location --request POST https://<AuthHub FQHN>/default/admin/v1/AuthPolicies --header 'Content-Type: application/json' --header 'Accept: application/json' --header 'Authorization: Bearer <access token>' -d @./siteminder_policy.json

The content of siteminder_policy.json is as below

{
   "policyName": "2FA Policy - siteminder",
   "description": "2FA Policy - siteminder",
    "status": "active",
    "apps": [
        {
            "id": "<app id>"
        }
    ],
    "rules": [
        {
            "conditions": {
                "action": {
                    "operator": "in",
                    "value": [
                        "authenticate"
                    ]
                },
                "channel": {
                    "operator": "in",
                    "value": [
                        "web"
                    ]
                },
                "acr": {
                    "operator": "in",
                    "value": [
                        "urn:iam:acr:aal:otp"
                    ]
                }
            },
            "result":
                "effect": "allow",
                "reAuthenticate": "false",
                "obligations": [
                    "SMSOTP:2",
                    "EMAILOTP:2"
                ],
                "msg": "This policy is for otp authentication",
                "mfaFrequency": "OnceForTrustedDevice"
           }
        }
   ]
}

 

 

Environment

Release : VIP AuthHub 2.1.4 (ssp 2.1.4+1042)

Resolution

Please refer to release notes below for the tenant setting setting about 'principalConditionRequiredInPolicy' parameter

Release Notes - 2.1

In a fresh deployment of AuthHub 2.1.0 or later, the principalConditionRequiredInPolicy parameter is set to TRUE by default. In this case, the principal condition is mandatory in the AuthNPolicy rule.

In an upgraded environment, the principalConditionRequiredInPolicy parameter is set to FALSE. In this case, the principal condition is NOT mandatory in the AuthNPolicy rule

As this is a fresh deployment, we can either set principalConditionRequiredInPolicy parameter at the tenant setting to FALSE or add any principal condition like below in the AuthNPolicy:

"principal": { 
   "user": {
      
"operator": "in",
         
"value": [

               "*"

           ]
     }
}

'*' - means allow all users from all ID Stores

Please also refer below documentation.

Description of "principal" condition