HTTP error 404 (Browser error 401) while building VIP auth hub custom authentication factor
search cancel

HTTP error 404 (Browser error 401) while building VIP auth hub custom authentication factor

book

Article ID: 279167

calendar_today

Updated On: 06-23-2025

Products

VIP Authentication Hub

Issue/Introduction

Broadcom Advanced Authentication product's EOS date is approaching, there is a feature where end users can enter the input such as answers to the Q&A during login.

Could VIP auth hub provide similar feature/function after migration?

While attempting to build VIP auth hub custom authentication factor, user encounters HTTP error 401 in browser testing.

Why is the proposed solution not working?

Environment

VIP auth hub 2.2.2+1012

Cause

During testing, a user only sees error 401 in browser, while redirecting to Access Gateway side /affwebservices/public/bctokencontroller url location.

However, when examining the auth hub side logs, the user was redirected to Custom authentication provider url, but ends with error 404 instead.

It was caused by a mismatch urls between VIP configuration and Custom authentication provider url.
 
The defined Custom authentication provider receiving end url value in VIP is:
http://myhost.example.com:80/public/myCustomOption

The actual url sent to custom authentication provider is http://myhost.example.com:80/public/myCustomOption/customauthenticator
Customer needs change the Custom authentication provider url (on the custom app side) so it ends with extra /customauthenticator.

Resolution

Disclaimer: This is custom solution, out of core support scope. Broadcom is not responsible for the design and implementation of custom code.

Below steps should only be used as courtesy recommendations at a very high level.

VIP auth hub has a feature called "Integrating with Custom Service Provider Interface (SPI)", which will meet the requirement.

Customer needs to create custom authentication provider first, then build custom authentication factor to challenge user by using predefined security questions.

Create a Custom authentication provider with properties like:

{
                "name": "spi.discover.capabilities",
                "value": "customauthenticator"

}

Customer can downloaded authentication-hub-open-api-spec.yaml from link under VIP doc section "Common Open API Spec for all Custom Providers  - (Swagger Content)", which is the consolidated Open API specification YAML file of Custom SPI for the factor services and custom risk.

In order to achieve the same feature as Advanced authentication, customer needs to build the customized app flow, so that it Challenges the user for request/response, and using the key value from credData parameter as the embedded answer.  The custom SPI returns Accept/Reject/Challenge/Terminate as the status as per the custom SPI implementation.

When building custom authentication factor, VIP auth hub calls the CustomAuthentication SPI (Service Provider Interface).  The response for the challenge is similar to this

{
    "status": "challenge",
    "credData": [{
        "key": "spi.auth.factor.challenge",
        "value": "What is your Mother's Maiden Name "
    }],
    "additional": {
        "customFlowId": "ssg.question1"
    }
}

Verify your Custom authentication provider is working fine independently using soap ui prior this integration.

Ensure Custom authentication provider url ends with /customauthenticator.

Additional Information

Powered by Wolken Software