Invalid scope when creating an application with Zero FootPrint SFP in VIP Authentication Hub
search cancel

Invalid scope when creating an application with Zero FootPrint SFP in VIP Authentication Hub

book

Article ID: 382625

calendar_today

Updated On:

Products

VIP Authentication Hub

Issue/Introduction


Running VIP Authentication Hub, when running the following command to authorize the request

# curl --location --request POST 'https://server.example.com/common/oauth2/v1/authorize?signin_hint=true&scope=openid%20groups%20profile%20email&client_id=eaf743de-79f8-4ee5-a2ee-247b790a2714&response_type=code&redirect_uri=https%3A%2F%2Flocalhost&code_challenge=A6xnQhbz4Vx2HuGl4lXwZ5U2I8iziLRFnhP5eNfIRvQ&code_challenge_method=S256&login_hint=xcasdfasd'

The command returns the Invalid scope error:

https://localhost?error=invalid_request&error_description=Invalid scope

This occurs trying to implement ZFP Zero FootPrint in VIP Authentication Hub.

Resolution


As per documentation, the Zero Foot Print is SiteMinder oriented (1). There's no section describing how to configure it from a Custom OIDC client outside SiteMinder.

The use of cURL command line as client is not sufficient to get the workflow working.

As per documentation, pass the authentication context from SiteMinder (1).

When configuring the MFA in SiteMinder AdminUI, the option "Enable Propagation of Extended User Attributes in ID Token Hint" shows up to set the ID Token Hint as described above.

On the same page, further Custom Claims to be set in the ID Token Hint can be configured.

The same page requires defining a certificate for signature and encryption.

The certificate defined there, should be imported in the VIP Authentication Hub when defining the Client Type as trusted.

 

Additional Information