SiteMinder Access Gateway rejects ID Token from VIP Authentication Hub intermittently in Firefox
search cancel

SiteMinder Access Gateway rejects ID Token from VIP Authentication Hub intermittently in Firefox

book

Article ID: 437326

calendar_today

Updated On:

Products

SITEMINDER Symantec Identity Security Platform - IDSP (formerly VIP Authentication Hub)

Issue/Introduction

When SiteMinder is integrated with VIP Authentication Hub (VIPAH) using a Multi-Factor Authentication (MFA) chain, users may experience intermittent authentication failures.

  • Primary authentication (e.g., SiteMinder IdP) succeeds.
  • After completing the MFA factor (e.g., Email OTP, Mobile OTP), the SiteMinder Access Gateway (AG) rejects the final ID token.
  • The browser may display an HTTP 500 error at the /affwebservices/public/bctokencontroller/ endpoint.
  • The issue is predominantly observed in Mozilla Firefox, while Google Chrome and Microsoft Edge work consistently.
  • In some instances, the issue is not reproducible if the Firefox Developer Tools (F12) are open.

Environment

Siteminder 12.9
VIP Authentication Hub 3.4.x

Cause

The issue is caused by a timing or memory management limitation within the Firefox browser.

SiteMinder utilizes a JavaScript function, getSTATEData(), which runs on the client side to retrieve a state GUID from the browser's sessionStorage. This GUID is required to construct the final URL for the bctokencontroller.

In Firefox, the sessionStorage.getItem() call intermittently returns null or fails to retrieve the data during the redirect flow. This results in the state parameter being missing or null in the request to the Access Gateway, leading to a rejection of the transaction.

Resolution

Since this behavior is tied to the browser's handling of session storage and not a defect in the SiteMinder or VIPAH product, the following workarounds are recommended:

  1. Use a Supported Browser: Switch to Google Chrome or Microsoft Edge, as these browsers have been verified to handle the session storage retrieval reliably during the redirect.
  2. Verify Configuration: Ensure that the "VIP Authentication Hub Template" in SiteMinder and the application configurations in VIPAH are correct by testing a successful login in a non-Firefox browser.
  3. Monitor Redirects: If troubleshooting, use a network trace (HAR file) to verify if the state parameter is being populated in the GET request to /affwebservices/public/bctokencontroller/. If the state value is empty, it confirms the browser failed to retrieve the data from session storage
Powered by Wolken Software