Version Affected: IdP 8.2 and higher
Description:
When calling the fingerprint validation endpoint it returns "found_with_id_mismatch" even if the fingerprint has a 100% match e.g.:
ValidateDigitalFingerPrint {"fingerprint_id":"fd84d711aab34a6490ef0e5b869c03f3","fingerprint_name":"Windows - 10 - Chrome","score":"100.00","match_score":"85.00","update_score":"85.00","status":"found_with_id_mismatch","message":""}
Cause:
In the request sent to the API the fingerprint_id parameter has not been supplied so the response says the fingerprint was found_with_id_mismatch because it's comparing the fingerprint_id that it finds in the data store with null.
In the API documentation here:
https://docs.secureauth.com/display/91docs/Device+Recognition+Authentication+API+Guide#expand-POSTEndpointJSONParametersandResponseExamples
it mentions that you can "Validate a known profile by including the fingerprint_id in the parameters" but it's important to understand that doing so is optional and only really desirable if the fingerprint_id is known and has been previously stored by the application that's using the API, in a cookie or database that's independent of the IdP and its data store.
Resolution:
Ensure that fingerprint_id is supplied in the request to the API.
Alternatively if the application using the API is not storing the fingerprint_id (or a deliberate design decision has been made to the same effect) then the check for a matching fingerprint_id in the data store can be disabled.
The code for fingerprint comparison has a condition that checks to see if the AppSetting DFPDesktopMode is enabled in the web.config for the API realm and performs a logical AND with the DFPDesktopCookieFPIdMatch AppSetting, if the result is true then it tries to match the fingerprint_id and returns found_with_id_mismatch if the match fails. However if either of the above AppSettings are False then it just returns found when the FP score meets the threshold without checking the fingerprint_id.
The relevant lines in the web.config that control this are:
<add key="DFPDesktopMode" value="0" />
<add key="DFPDesktopCookieFPIdMatch" value="False" />
Or the same can be changed via the admin console on the Workflow tab:
DFPDesktopMode is the same as FP mode:
DFPDesktopCookieFPIdMatch is the same as Match FP Id in cookie:
Set either or both to False/NoCookie
SecureAuth Knowledge Base Articles provide information based on specific use cases and may not apply to all appliances or configurations. Be advised that these instructions could cause harm to the environment if not followed correctly or if they do not apply to the current use case.
Customers are responsible for their own due diligence prior to utilizing this information and agree that SecureAuth is not liable for any issues caused by misconfiguration directly or indirectly related to SecureAuth products.
Comments
Please sign in to leave a comment.