VIP Authentication Hub - Unable to login to the admin console after upgrade to 2.2
search cancel

VIP Authentication Hub - Unable to login to the admin console after upgrade to 2.2

book

Article ID: 276904

calendar_today

Updated On:

Products

VIP Authentication Hub

Issue/Introduction

This was working in 2.1, stopped working after upgrade to 2.2. Attemtpt to login to the admin console displays an error screen, containing only the client transaction ID. I checked, the tenant admin policies are in place, they have the same values as in the previous version.

Our user IDs are assigned to the group "Admin Users", we verified from the API.

Manage Authorizations: https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/vip-authentication-hub/2-2/Administrating-Module/managing-authorization.html

According to the docs, TenantAdminPolicy is not changed and it is sufficient to log in. We did not find any difference from 2.1

Attached are the logs for the client transaction ID displayed on the error screen.

The policy is:

        {
        "id": "bd083ea8-dae2-4317-a820-a52248689acc",
        "name": "TenantAdminPolicy",
        "description": "Policy for Tenant Admin",
        "principal":         {
            "group":             {
                "operator": "in",
                "value": ["Admin Users"]
            },
            "clientApp":             {
                "operator": "in",
                "value":                 [
                    "$TENANT_ADMINCONSOLE",
                    "673a8571-a64c-4785-ba2d-4a1f4859daa9"
                ]
            }
        }
    },

Environment

VIP Auth Hub 

Release : 2.2 and onwards

Resolution

To smoothly upgrade from Authentication Hub v2.1 to v2.2, remember to update the "Principal" condition within the seeded "AdminLoginPolicy" Authentication Policy before upgrading. Ensure this condition is mapped accurately to the either a user or group that is configured in the "idStoreToBeUsed" tenant setting or the "idStoreToUse" application setting. Failure to set the correct principal condition could trigger an error message like "No applicable AuthN policies matched, returning AUTH_DENIED."
This is documented in the release notes and should be referred before upgrade is planned.
Install and Upgrade Instructions
  • From this release onwards, it is mandatory to have a "principal" condition in the authentication policy. This applies to all pre-existing authentication policies (please update before the upgrade), including the authentication policy for the built-in "Admin Console" application.
    During fresh installation of Authentication Hub, the "adminConsoleIdStoreToBeUsed" tenant property defaults to using the "Internal" ID Store. During an upgrade, this property is configured with the value "idStoreToBeUsed" tenant setting, ensuring continuous access to the Admin Console. This setting is covered in the New Features and Improvements section above (adminConsoleIdStoreSetting) and in the Managing Settings page.
    As a best practice, we recommend having administrative access and application access be implemented by modeling different policies and different logical identity stores in Authentication Hub.
    Starting with this release, a "DefaultTenantAdminUser" account is created in the Internal ID Store and being granted the “Tenant Admin” role. The matching Kubernetes secret containing the initial password is created to allow an admin to sign into the Admin Console. This secret gets deleted and the "DefaultTenantAdminUser" account gets disabled after the 48-hour period elapses. See
    See Initial Security Credentials section.

    Additional Information

    Powered by Wolken Software