We encountering an HTTP Status 500 - Internal Server Error issue after configuring MFA integrating VIP Authentication Hub with SiteMinder.

In the "Scenario 1: SiteMinder performs the primary authentication and Authentication Hub performs the secondary authentication" use case, the Browser shows the error page below.

After turning on FWS tracing we saw the following errors in FWSTrace.log

[05/09/2025][05:01:27][14432][5028][########-####-####-####-############_########-########-########-########-########-####][FWSBase.java][authenticateUser][Login failure [CHECKPOINT = SSO_LOGINFAILURE_RSP]]
[05/09/2025][05:01:27][14432][5028][########-####-####-####-############_########-########-########-########-########-####][BCTokenController.java][processFailedAuthentication][User authentication failed. Auth reason failure code:  57]
[05/09/2025][05:01:27][14432][5028][########-####-####-####-############_########-########-########-########-########-####][BCTokenController.java][getRedirectUrlFromAttributes][Response Attributes:]
[05/09/2025][05:01:27][14432][5028][########-####-####-####-############_########-########-########-########-########-####][BCTokenController.java][getRedirectUrlFromAttributes][Redirect URL from attributes : null]
[05/09/2025][05:01:27][14432][5028][########-####-####-####-############_########-########-########-########-########-####][BCTokenController.java][processFailedAuthentication][Failure Reason:Type:ConfigError. JWT Token verification failed with Certificate alias ########]
[05/09/2025][05:01:27][14432][5028][########-####-####-####-############_########-########-########-########-########-####][BCTokenController.java][processFailedAuthentication][Failure Reason id:158]
[05/09/2025][05:01:27][14432][5028][########-####-####-####-############_########-########-########-########-########-####][BCTokenController.java][processFailedAuthentication][Transaction with ID: ########-####-####-####-############_########-########-########-########-########-#### failed. Reason: FWSB_USER_AUTHENTICATION_FAILED]
[05/09/2025][05:01:27][14432][5028][########-####-####-####-############_########-########-########-########-########-####][BCTokenController.java][processFailedAuthentication][Ending the request processing with the HTTP response code: 500]
[05/09/2025][05:01:27][14432][5028][########-####-####-####-############_########-########-########-########-########-####][BCTokenController.java][processFailedAuthentication][Ending the request  with error message.]

VIP Authentication Hub 3.x
SiteMinder 12.8

VIP Authentication Hub signing certificate is not configured correctly.

Extract VIP Authentication Hub signing certificate from VIP Authentication Hub using the following API
   https://ah_hostname/tenant_name/admin/v1/SigningCert

And then import it into SiteMinder using Siteminder Admin UI. This way, SiteMinder can verify the JWT Token generated by VIP Authentication Hub correctly.

See the following section in the doc
   The public certificate of the signing key that is used by Authentication Hub tenant to sign the ID Token

If you have VIP Authentication Hub Admin UI, you can also use the Admin UI to download the signing certificate. Go to Applications and open the siteminder application and go to OAuth/OpenID tab. Click the [View Setup] button to the right of the Integration Setup line.

The Integration Setup dialog appears. Click the [Download] button to download the signing certificate.

Once VIP Authentication Hub signing certificate is imported into SiteMinder, please modify the Multi Factor Chain Authentication Scheme and specify the Verification Certificate Alias to the imported signing certificate in the VIP Authentication Hub Configuration section.