Authentication Policy creation failed with a missing principal condition error in VIP Authentication Hub
search cancel

Authentication Policy creation failed with a missing principal condition error in VIP Authentication Hub

book

Article ID: 273559

calendar_today

Updated On:

Products

Symantec Identity Security Platform - IDSP (formerly VIP Authentication Hub)

Issue/Introduction

Creating Authentication Policy on new VIP Authentication Hub2.1.4 failed with the below error:

'{"errorCode":"8800308","errorMessage":"Missing principal condition"}'

The VIP Authentication Hub 2.1.4 environment is freshly deployed.

Running curl command similar to the following:

# curl --ciphers ALL -sk --location --request POST https://server.example.com/default/admin/v1/AuthPolicies --header 'Content-Type: application/json' --header 'Accept: application/json' --header 'Authorization: Bearer <access token>' -d @./<siteminder_policy>.json

The content of <siteminder_policy>.json is as below

{
   "policyName": "2FA Policy - siteminder",
   "description": "2FA Policy - siteminder",
    "status": "active",
    "apps": [
        {
            "id": "<app id>"
        }
    ],
    "rules": [
        {
            "conditions": {
                "action": {
                    "operator": "in",
                    "value": [
                        "authenticate"
                    ]
                },
                "channel": {
                    "operator": "in",
                    "value": [
                        "web"
                    ]
                },
                "acr": {
                    "operator": "in",
                    "value": [
                        "urn:iam:acr:aal:otp"
                    ]
                }
            },
            "result":
                "effect": "allow",
                "reAuthenticate": "false",
                "obligations": [
                    "SMSOTP:2",
                    "EMAILOTP:2"
                ],
                "msg": "This policy is for otp authentication",
                "mfaFrequency": "OnceForTrustedDevice"
           }
        }
   ]
}

Environment

VIP Authentication Hub 2.1.4 (ssp 2.1.4+1042)

Resolution

Refer to release notes below for the tenant setting settings about 'principalConditionRequiredInPolicy' parameter (1).

In a fresh deployment of AuthHub 2.1.0 or later, the principalConditionRequiredInPolicy parameter is set to TRUE by default.

In this case, the principal condition is mandatory in the AuthNPolicy rule.

In an upgraded environment, the principalConditionRequiredInPolicy parameter is set to FALSE.

In this case, the principal condition is NOT mandatory in the AuthNPolicy rule.

As this is a fresh deployment, either set the principalConditionRequiredInPolicy parameter at the tenant setting to FALSE, or add any principal condition like below in the AuthNPolicy:

"principal": { 
   "user": {
       "operator": "in",
          "value": [

               "*"

           ]
     }
}

"*" means allow all users from all ID Stores.

Additional Information

Powered by Wolken Software