SecureAuth version affected: 8.2 +
The enrollment process for device/browser fingerprinting returns an error saying "Verified, but failed to save. Check configuration".
There are a few variables at play here: it could be the limitation of devices enrolled, or the possibility of attributes required to be cleared in AD.
Clearing the attributes in AD that reflect OATH seed if this already exists from some other field. QR code bases off of token, but a user cannot utilize both seed and token.
- This is the error you will see when trying to enroll the device when trying to utilize multi-factor app enrollment via QR code.
- With that error, proceed over to see if the device limit has been reached by going to the post authentication tab. If the number is 1, and there is already a device enrolled, they will either need to remove their old device or increase the count limit.
- If the device limitation has not been reached, please check the AD attribute for the attribute tied to their OATH seed. In this example, postalAddress is the OATH seed attribute. If there is indeed a value there, this will have to be cleared before registering successfully for an OATH token.
- Another way to have the users clear their mobile device if their limitation has been reached and increasing the count is not an option, or if there is a large scale of users that they would rather have manually clear out their own OATH seed value, they can utilize the self-service page and enabled the options for the users to do it themselves.
If they go to post authentication > configure self service page
- Once here, please select OATH Seed and OATH OTP Devices and then select the drop down and click Show Enabled.
- Now the user can go into their self-service portal and remove their OATH seed value or unregister their currently enrolled devices ( option not pictured, sorry :[ ).
- After these two variables have been addressed, then all should be well and you will be able to successfully enroll the new device without any errors!