Request with ID_TOKEN_HINT failing after upgrading from 12.8 SP3 to 12.8 SP7
search cancel

Request with ID_TOKEN_HINT failing after upgrading from 12.8 SP3 to 12.8 SP7

book

Article ID: 275256

calendar_today

Updated On:

Products

SITEMINDER

Issue/Introduction

After upgrading Siteminder from 12.8 SP3 to 12.8 SP7 , the OIDC code request is now failing when ID_TOKEN_HINT is passed on the URL.

GET https://oidcserver.example.com/affwebservices/CASSO/oidc/oidc_client_name/authorize?client_id=exampleclientid&redirect_uri=https%3A%2F%2Frp.rp.example.com%2Fsignin-callback&response_type=code&scope=openid&state=***********&code_challenge=GhZagajWDhukyz..........XzE&code_challenge_method=S256&prompt=none&id_token_hint=eyJraWQiO........uQb7kIB4mS3pL8RbdoZ87rfw&response_mode=query HTTP/1.1

Environment

Release : 12.8.07

Cause

**** Case 1 --> Existing setup 12.8 SP3 With Id_token_hint passed on request

What is actually happening --> SP3 Policy Server code is totally ignoring the Id_token_hint since it is not coded to read it which is why Request always worked since Id_token_hint  was being ignored

**** Case 2 --> new 12.8 SP7 With Id_token_hint passed on request

After the Upgrade to SP7 , SP7 code base now has a new feature that looks into the Id_token_hint (developed to support Integration with AuthHub) .

The app team is passing the same request to Siteminder SP7 after the upgrade , since the SP7 code now actually looks for ID_TOKEN_HINT (supported in its code) , the Request is now failing on Siteminder since additional configurations are now needed for SP7 which was not the case in SP3 (ID_TOKEN_HINT getting ignored)

 

Resolution

Proposed Solutions:

* Solution a --> Remove the ID_TOKEN_HINT altogether from request since it was getting ignored in SP3 

* Solution b --> If Id_token_hint is to be kept in the Request , then Additional configuration needs to be done on SP7 to accept the ID_TOKEN_HINT as Indicated in the below steps 

 

####  Action items for Solution b to configure SP7 to accept the ID_token_hint

Here is the link to create all the steps below --> https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/implementing/integrations/integration-with-vip-authhub/use-id-token-hint-to-generate-an-smsession.html

1) Create a trusted OIDC Provider. Siteminder can be added as the trusted provider and No need to have AuthHub integration

2) Create an ID Token policy.
3) Configure the Authorization Provider that is associated with a Client, to define the user directory that must be used for authenticating the user in an ID Token Hint and creating an SMSESSION.
4) Configure an OIDC Client to use the created ID Token policy.
5) Send an authentication request to the Authorization Endpoint.

Powered by Wolken Software