SecureAuth API returns "Could not resolve fingerprint with ID"

Follow

Version Affected:  IdP 8.2 and higher

Description:  

When sending the fingerprint_id to the DFP confirmation endpoint API (POST to /api/v1/dfp/confirm) the following response is received:

ApiResponseHTTPStatusCode="OK" ApiResponseStatus="not_found" ApiResponseMessage="Could not resolve fingerprint with ID  XXXXXXXXXXXXXXXXXXXXX"

 

Cause:  

If the fingerprint is not found in the datastore during the preceding DFP validation (POST to /api/v1/dfp/validate), or is "found_for_update", then the API returns a fingerprint_id and caches that fingerprint_id for a short while in memory.   

The cache duration is set by the web.config app setting key Api.HttpRequestValidityPeriodInMinutes, which is 2 minutes by default.

If the fingerprint_id is then sent to the DFP confirmation endpoint (POST to /api/v1/dfp/confirm) the API carries out the following pseudo-code steps:

if fingerprint_id is found in the cache AND the datastore then it updates the existing fingerprint in the datastore and sends:
"verified", "Fingerprint has been confirmed."

else if fingerprint_id is found ONLY in the cache then it adds a new fingerprint to the datastore and sends:
"verified", "Fingerprint has been confirmed."

else if fingerprint_id is found ONLY in the datastore then it does nothing and sends back:
"found", "Fingerprint exists."

finally if none of the conditions above match then it does nothing and sends back:
"not_found", "Could not resolve fingerprint with ID  XXXXXXXXXXXXXXXXXXXXX"


So the error message means the fingerprint does not exist in the datastore AND additionally the cache does not contain the fingerprint, which can happen if the cache has expired, or in a load balanced scenario, a different IdP is being contacted than the node that cached the fingerprint.

 

Resolution:  

Review logs to ensure that the time difference between fingerprint validation and confirmation is no greater than the web.config app setting key Api.HttpRequestValidityPeriodInMinutes.  Adjust API client code accordingly or increase Api.HttpRequestValidityPeriodInMinutes. 

If the IdP is in a load balanced pool, ensure that session affinity/persistence is maintained so the API requests are not bouncing around individual nodes.

 

 

SecureAuth Knowledge Base Articles provide information based on specific use cases and may not apply to all appliances or configurations. Be advised that these instructions could cause harm to the environment if not followed correctly or if they do not apply to the current use case.

Customers are responsible for their own due diligence prior to utilizing this information and agree that SecureAuth is not liable for any issues caused by misconfiguration directly or indirectly related to SecureAuth products.

0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.