After implementing the OIDC user navigates to the SMG URL. They are redirected to the OIDC provider for authentication.

After successful login, they are redirected back to SMG. -  where see the error: " Temporary login issue encountered. Please try again later or contact your system administrator for assistance. "

SMG 10.9

Issue occurs during ID token validation after successful authentication with the IBM OIDC provider. The SMG is attempting to retrieve the JSON Web Key Set (JWKS) from the OIDC provider, but the request fails due to a size limitation.

From the BrightmailLog logs:

ERROR - Exception thrown in OidcSecurityFilter::doFilterInternal: com.symantec.smg.controlcenter.accesscontrol.oidcintegration.OpenIDConnectException: Exception occured while validating the ID Token. ; nested exception is: 

com.nimbusds.jose.RemoteKeySourceException: Couldn't retrieve remote JWK set: Exceeded configured input limit of 51200 bytes

This indicates that the JWKS response from the OIDC provider exceeds the maximum allowed size of 50 KB, which is enforced by the underlying OIDC library used by SMG. As a result, SMG is unable to retrieve the signing keys required to validate the ID token, and the login process fails.

We recommend reviewing and reducing the size of the JWKS response on the IBM OIDC provider side:

1. Remove any unused or expired signing keys
2. Limit the number of active keys (ideally 1–3 keys)
3. Ensure only necessary signing keys are published

At this time, the 50 KB limit is imposed by the SMG OIDC implementation and is not configurable. Therefore, adjusting the JWKS size on the identity provider is the recommended resolution.