The use case is about SiteMinder and VIP Authentication Hub (AH) authentication flow in ZFP (Zero Footprint) mode. SiteMinder does the 1st factor and AH does the 2nd factor (MFA) .
Testing team has reported an issue where user is shown SMS/Mobile in factor list on the Signin UI. AH should show only Email factor because Telephone Number is not in the ID Token Hint anymore.
The user has the "email" and "sms" credentials that were generated in previous authentication process.
Then Telephone Number had been removed from the LDAP store and a new authentication flow occurred with ID Token Hint without Telephone Number in the payload. AH seems still look into existing credentials data and show 2 selections as the 2nd factor, i.e. SMS and Email. The SMS factor shows the masked old phone number.
The expectation is AH shows only Email as the 2nd factor.
If a new Telephone Number is set into the LDAP store and the ID Token Hint generated with the new Telephone Number, the phone credential is updated and new SMS factor shows the masked new phone number. Logically when the Telephone Number is removed from the LDAP store, AH should delete the SMS/Mobile credential and not showing SMS factor.
VIP Authentication Hub 3.1, 3.1.1, 3.2.1, 3.2.2
This is a known issue, i.e. DE611123, where credential auto sync is not working correctly in case the credential is removed from the credential source. AH database still maintains the deleted credentials of that type.
This issue is fixed in AH 3.3 or later. Upgrade to 3.3 or later to resolve this problem.