Running VIP Authentication Hub, when running the following command to authorize the request

# curl --location --request POST 'https://server.example.com/common/oauth2/v1/authorize?signin_hint=true&scope=openid%20groups%20profile%20email&client_id=eaf743de-79f8-4ee5-a2ee-247b790a2714&response_type=code&redirect_uri=https%3A%2F%2Flocalhost&code_challenge=A6xnQhbz4Vx2HuGl4lXwZ5U2I8iziLRFnhP5eNfIRvQ&code_challenge_method=S256&login_hint=xcasdfasd'

The command returns the Invalid scope error:

https://localhost?error=invalid_request&error_description=Invalid scope

This occurs trying to implement ZFP Zero FootPrint in VIP Authentication Hub.

As per documentation, the Zero Foot Print is SiteMinder oriented (1). There's no section describing how to configure it from a Custom OIDC client outside SiteMinder.

The use of cURL command line as client is not sufficient to get the workflow working.

As per documentation, pass the authentication context from SiteMinder (1).

When configuring the MFA in SiteMinder AdminUI, the option "Enable Propagation of Extended User Attributes in ID Token Hint" shows up to set the ID Token Hint as described above.

On the same page, further Custom Claims to be set in the ID Token Hint can be configured.

The same page requires defining a certificate for signature and encryption.

The certificate defined there, should be imported in the VIP Authentication Hub when defining the Client Type as trusted.

1. Configuring the Zero Footprint Identity