IDP Validation should not allow ZFP and Verify Identity settings to be enabled at the same time in IDSP

search cancel

IDP Validation should not allow ZFP and Verify Identity settings to be enabled at the same time in IDSP

book

Article ID: 423887

calendar_today

Updated On:

Products

Symantec Identity Security Platform - IDSP (formerly VIP Authentication Hub)

Issue/Introduction

Running Symantec Identity Security Platform (Symantec ISP, formerly known as AuthHub), ZFP IDP with verify identity enabled works even if the user is not present in VIP.

Identity Provider:

Verify Identity: on
Zero Footprint:  True

Identity Mapping:

  MAPPED FROM IDP IDENTITY: <user>@example.com
  MAPPED-TO IDENTITY: LOGIN ID:<user>@example.com

Users:

                     ..........
<user>               . Submit .
                     ..........

USERNAME   FIRST NAME   LAST NAME   DISABLED
               
! No user found matching your search criteria.

Cause

The only time IDP's VerifyIdentity=true is in use is during an IDPaaF flow started by the app with ZFP=false, using IDP's AccountMappingAttribute to confirm the username returned by IDP does belong to the user going through the authentication flow.

This is the standard procedure to validate identity returned by identity federation.

In this case, IDP's ZFP state is ignored.

Resolution

Upgrade IDSP to version 4.0 when this one is available to fix this issue.

To disallow IDP's ZFP=true and VerifyIdentity=true by default, an optional IDP metadata "Allow ZFP IDP to Verify Identity" will be added, to be used when such ZFP IDP is also meant to be used in IDPaaF + update VerifyIdentity UI help text to state it for use with IDP-as-a-Factor.

Feedback

thumb_up Yes

thumb_down No