Authentication Hub still shows credentials that have been deleted from the credential source
search cancel

Authentication Hub still shows credentials that have been deleted from the credential source

book

Article ID: 380568

calendar_today

Updated On:

Products

VIP Authentication Hub

Issue/Introduction

The use case is about SiteMinder and VIP Authentication Hub (AH) authentication flow in ZFP (Zero Footprint) mode. SiteMinder does the 1st factor and AH does the 2nd factor (MFA) .
Testing team has reported an issue where user is shown SMS/Mobile in factor list on the Signin  UI. AH should show only Email factor because Telephone Number is not in the ID Token Hint anymore.

The user has the "email" and "sms" credentials that were generated in previous authentication process.

Then Telephone Number had been removed from the LDAP store and a new authentication flow occurred with ID Token Hint without Telephone Number in the payload. AH seems still look into existing credentials data and show 2 selections as the 2nd factor, i.e. SMS and Email. The SMS factor shows the masked old phone number.

The expectation is AH shows only Email as the 2nd factor.

If a new Telephone Number is set into the LDAP store and the ID Token Hint generated with the new Telephone Number, the phone credential is updated and new SMS factor shows the masked new phone number. Logically when the Telephone Number is removed from the LDAP store, AH should delete the SMS/Mobile credential and not showing SMS factor.

Environment

VIP Authentication Hub 3.1, 3.1.1, 3.2.1, 3.2.2

Cause

This is a known issue, i.e. DE611123, where credential auto sync is not working correctly in case the credential is removed from the credential source. AH database still maintains the deleted credentials of that type.

Resolution

This issue is fixed in AH 3.3 or later. Upgrade to 3.3 or later to resolve this problem.