Zero Footprint SiteMinder to AuthHub integration failed: ZFP User Disambiguator failed to resolve identity source for incoming IT with identitySourceId 'null'.
search cancel

Zero Footprint SiteMinder to AuthHub integration failed: ZFP User Disambiguator failed to resolve identity source for incoming IT with identitySourceId 'null'.

book

Article ID: 379502

calendar_today

Updated On:

Products

VIP Authentication Hub

Issue/Introduction

During an implementation of Zero Footprint SiteMinder to AuthHub integration, user passed siteminder authentication, but failed before AuthHub authentication begins.

{"timestamp":"yyyy-mm-ddThh:mm:ss.955311Z","type":"log","level":"warn","thread":"https-jsse-nio-8086-exec-9",
"msg":"ZFP User Disambiguator failed to resolve identity source for incoming IT with identitySourceId 'null', 
idpName 'myexample_dir', 
idpType 'siteminder'",
"/auth/v1/authenticate":"true",

...

{"timestamp":"yyyy-mm-ddThh:mm:ss.955357Z","type":"log","level":"warn","thread":"https-jsse-nio-8086-exec-9","msg":"initFlow: ZFP User Disambiguator failed to disambiguate user with userLoginId: ....

If the debug trace is on, it is observed that SiteMinder has passed idTokenHint to AuthHub, and it is decoded by AuthHub, but user can not pass Disambiguator.

{"timestamp":"yyyy-mm-ddThh:mm:ss.699688Z","type":"log","level":"trace","thread":"https-jsse-nio-8086-exec-3","msg":"flowState details read ........\\"idTokenHint\\\":\\\"eyJhbGciO........

Environment

SiteMinder version: 12.8.8 CR01

Auth Hub: 3.2.1+1121

Cause

There could be a number of possibilities.

  • idTokenHint has missing user data or the idTokenHint itself is invalid.
  • there may be certificate or signature processing issue.
  • user policy on Authhub side is not correct.
  • risk evaluation failure

For ZFP flow, Authhub does not have direct access or define the user store, so identitySourceId 'null' is expected.

Resolution

Two changes made to resolve the problem:
 
1.Under Authhub ZFP policy rule--> "conditions",  removed "idpName" section, replace it with added a "context" condition.
This can be done via either API or admin console.

remove this section,
 
"conditions": {
       "idpName": {
               "operator": "in",
               "value": ["myexample_dir"]
                        },

replace it with below

"conditions": {
        "context": {
               "operator": "expression",
               "value": "${idtoken.idp_name} eq myexample_dir"
                },

2. Correct TOKENISSUER value of public signing cert (used for siteminder idTokenHint ) under https://ah_hostname/tenant_name/admin/v1/Certs/ endpoint.

When importing the certificate to Auth hub, this TOKENISSUER value should refer to siteminder, Default value is https://security.com/iam/siteminder.

On siteminder side, it auto-populated in Token Issuer, base on what is retrieved from VIP AuthHub.

Next, back to siteminder side admin UI, go to "ID Token Hint Generation Setup" under "Multi Factor Authentication chain template", check and ensure the "Token Issuer" is updated and matches the value input in previous cert import step.

Additional troubleshooting tips:

Turn on debug trace by changing Global settings "loglevel" under (System Admin Operations) API https://{{sspMgmtHost}}/system/admin/v1/Settings.

Then search for transaction entry in logs like below:

{"timestamp":"yyyy-mm-ddThh:mm:ss.  Incoming IT:

{"timestamp":"yyyy-mm-ddThh:mm:ss.783517Z","type":"log","level":"info","thread":"https-jsse-nio-8086-exec-9","msg":"JWTService.parseIdToken (effective zfp=true): for local IT

Additional Information

Powered by Wolken Software