SSO enabled OIDC fails to authenticate with 'server_error: An error was encountered'

Follow
    Applies to:
  • SecureAuth Identity Platform
Deployment model:
  • Hybrid
  • Version Affected:  20.06+

    Description:  
    After enabling Windows SSO on an OIDC Realm, created in the Classic interface, authentication fails to work as expected and End users are presented with the error 'server_error: An error was encountered.'

    Further investigation will show the below within the Debug Logs at the time of the error  (DOMAIN\User shown below is an example, this will be specific to your end user logging into the Realm)

    Message="MFA.WebControls.ContextUser.GetUser: DOMAIN\User"

    Message="LDAPMembershipProvider.GetUser: user name: DOMAIN\User"

    Message="[AuthorizeEndpoint].[ProcessConsent]: Exception: System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.NullReferenceException: Object reference not set to an instance of an object.
    at MFA.WebControls.ContextUser.get_Comment()


    Cause:
     
    This is due to the Profile lookup using a DOMAIN\USER format rather than just the USER format and as it cannot find a user called DOMAIN\USER within the Datastore the process fails and throws the error
    This will only happen if the OIDC SSO Realm also has Transformation Engine enabled

     

    Resolution: 

    • If Transformation Engine is not required for this Realm, disable it, wait for replication between Appliances and try the login process again
    • If Transformation Engine is required, the fix is to Migrate the Realm to a New Experience Realm as this issue is not present within New Experience Realms

    If Transformation Engine is required and migrating the Realm to a New Experience Realm is not possible, there is a workaround which can be used (see below)

     

    Workaround

    For instructions on how to setup a WebService configuration please see - https://docs.secureauth.com/0903/en/web-service--multi-data-store--configuration-guide.html

    1. Setup an Authentication Realm and enable WebService
    2. On the Authentication Realm
      In the Data tab, select a Profile Property which is not in use and Map it to the sAMAccountName AD Attribute


    3. On the OIDC Realm
      - Alter the Data tab settings to point to the WebService Authentication Realm
      When selecting the Authentication Realm as the 'Multi-Datastore Membership Configuration' Realm click on 'Add Realm from Another Server' (even if the Authentication Realm is on the local server) and add the Realm in the below format (DOMAIN is used as an example, this is specific to your environment and should match the DOMAIN seen within the error message)
    SecureAuth11|DOMAIN

     

    - On the Post Authentication tab scroll down to the 'Open ID Connect Access / ID Token Claims' section and map the Profile Property chosen in Step 2 to the 'sub' claim



    The SSO Enabled OIDC Realm should now work with Transformation Engine enabled

     

    For more information on possible steps required for SSO enabled OIDC Realms please see the below articles:
    https://support.secureauth.com/hc/en-us/articles/360019885831-OAuth2-OIDC-URI-generates-a-401-error-on-WinSSO-realms
    https://support.secureauth.com/hc/en-us/articles/360019648152-OIDC-OAUTH-with-Windows-SSO-Realm

    SecureAuth Knowledge Base Articles provide information based on specific use cases and may not apply to all appliances or configurations. Be advised that these instructions could cause harm to the environment if not followed correctly or if they do not apply to the current use case.

    Customers are responsible for their own due diligence prior to utilizing this information and agree that SecureAuth is not liable for any issues caused by misconfiguration directly or indirectly related to SecureAuth products.

    0 out of 0 found this helpful

    Comments

    0 comments

    Please sign in to leave a comment.