Creating Authentication Policy on new VIP AuthHub 2.1.4 failed with below error.

>> '{"errorCode":"8800308","errorMessage":"Missing principal condition"}'

The AuthHub 2.1.4 environment is freshly deployed. We run curl command similar to the following

curl --ciphers ALL -sk --location --request POST https://<AuthHub FQHN>/default/admin/v1/AuthPolicies --header 'Content-Type: application/json' --header 'Accept: application/json' --header 'Authorization: Bearer <access token>' -d @./siteminder_policy.json

The content of siteminder_policy.json is as below

{
   "policyName": "2FA Policy - siteminder",
   "description": "2FA Policy - siteminder",
    "status": "active",
    "apps": [
        {
            "id": "<app id>"
        }
    ],
    "rules": [
        {
            "conditions": {
                "action": {
                    "operator": "in",
                    "value": [
                        "authenticate"
                    ]
                },
                "channel": {
                    "operator": "in",
                    "value": [
                        "web"
                    ]
                },
                "acr": {
                    "operator": "in",
                    "value": [
                        "urn:iam:acr:aal:otp"
                    ]
                }
            },
            "result":
                "effect": "allow",
                "reAuthenticate": "false",
                "obligations": [
                    "SMSOTP:2",
                    "EMAILOTP:2"
                ],
                "msg": "This policy is for otp authentication",
                "mfaFrequency": "OnceForTrustedDevice"
           }
        }
   ]
}

Release : VIP AuthHub 2.1.4 (ssp 2.1.4+1042)

Please refer to release notes below for the tenant setting setting about 'principalConditionRequiredInPolicy' parameter

Release Notes - 2.1

In a fresh deployment of AuthHub 2.1.0 or later, the principalConditionRequiredInPolicy parameter is set to TRUE by default. In this case, the principal condition is mandatory in the AuthNPolicy rule.

In an upgraded environment, the principalConditionRequiredInPolicy parameter is set to FALSE. In this case, the principal condition is NOT mandatory in the AuthNPolicy rule

As this is a fresh deployment, we can either set principalConditionRequiredInPolicy parameter at the tenant setting to FALSE or add any principal condition like below in the AuthNPolicy:

"principal": { 
   "user": {
       "operator": "in",
          "value": [

               "*"

           ]
     }
}

'*' - means allow all users from all ID Stores

Please also refer below documentation.

Description of "principal" condition