Creating Authentication Policy on new VIP AuthHub 2.1.4 failed with below error.
>> '{"errorCode":"8800308","errorMessage":"Missing principal condition"}'
The AuthHub 2.1.4 environment is freshly deployed. We run curl command similar to the following
curl --ciphers ALL -sk --location --request POST https://<AuthHub FQHN>/default/admin/v1/AuthPolicies --header 'Content-Type: application/json' --header 'Accept: application/json' --header 'Authorization: Bearer <access token>' -d @./siteminder_policy.json
The content of siteminder_policy.json is as below
{
"policyName": "2FA Policy - siteminder",
"description": "2FA Policy - siteminder",
"status": "active",
"apps": [
{
"id": "<app id>"
}
],
"rules": [
{
"conditions": {
"action": {
"operator": "in",
"value": [
"authenticate"
]
},
"channel": {
"operator": "in",
"value": [
"web"
]
},
"acr": {
"operator": "in",
"value": [
"urn:iam:acr:aal:otp"
]
}
},
"result":
"effect": "allow",
"reAuthenticate": "false",
"obligations": [
"SMSOTP:2",
"EMAILOTP:2"
],
"msg": "This policy is for otp authentication",
"mfaFrequency": "OnceForTrustedDevice"
}
}
]
}
Release : VIP AuthHub 2.1.4 (ssp 2.1.4+1042)
Please refer to release notes below for the tenant setting setting about 'principalConditionRequiredInPolicy' parameter
In a fresh deployment of AuthHub 2.1.0 or later, the principalConditionRequiredInPolicy parameter is set to TRUE by default. In this case, the principal condition is mandatory in the AuthNPolicy rule.
In an upgraded environment, the principalConditionRequiredInPolicy parameter is set to FALSE. In this case, the principal condition is NOT mandatory in the AuthNPolicy rule
As this is a fresh deployment, we can either set principalConditionRequiredInPolicy parameter at the tenant setting to FALSE or add any principal condition like below in the AuthNPolicy:
"principal": {
"user": {
"operator": "in",
"value": [
"*"
]
}
}
'*' - means allow all users from all ID Stores
Please also refer below documentation.
Description of "principal" condition