1. SecureAuth Support
  2. Support Documentation
  3. IdP Knowledge Base Articles

3rd Party Authenticator Apps fail to enroll successfully

Follow
Avatar
Ben Watts
    Applies to:
  • SecureAuth Identity Platform
Deployment model:
  • Hybrid

    • Version Affected:  21.04+

    Description:  
    3rd Party Authenticator Apps fail to enroll devices with SecureAuth successfully

    During enrollment, a 'Success' message will be presented to the end user after entering the Verification OTP, appearing as though the enrollment was successful, yet when checking the Datastore the enrollment cannot be seen in the mapped attribute for OATH Token

    An error can be thrown in the Error log of the Enrollment Realm, as per below
    qrProvision verify exception: Object reference not set to an instance of an object.


    Cause:  
    The usual cause of this is MIGRATION_MODE being present in the Environment Variables
    MIGRATION_MODE changes how enrollments occur and can cause the 'failure' of writing the enrollments to the On Prem Datastore for 3rd Party Authenticator Apps

    When mode1 is set for MIGRATION_MODE, the enrollment will be pushed to Mobile Service but not written to the On Prem Datastore
    When logging into a Realm to use the 3rd Party Authenticator App for MFA, the device will be seen and can be used as expected, this is due to it being pulled from Mobile Service

    When mode2 is set for MIGRATION_MODE, the enrollment will be pushed to Mobile Service but not written to the On Prem Datastore
    When logging into a Realm to use the 3rd Party Authenticator App for MFA, a sync of the users enrolled Devices will occur (as per - https://docs.secureauth.com/2404/en/mobile-service-migration-process.html#identity-platform-migration-modes)
    As the Device is not held in the On Prem Datastore, the 'orphaned' Device in Mobile Service will be removed and will not be presented as an MFA option


    Resolution:  
    Remove the MIGRATION_MODE Environment Variable from the IdP Server(s), Reboot the IdP Server(s) for the change to take effect and enroll via the 3rd Party Authenticator App again

    This bug is currently being looked at under -

     

     

    SecureAuth Knowledge Base Articles provide information based on specific use cases and may not apply to all appliances or configurations. Be advised that these instructions could cause harm to the environment if not followed correctly or if they do not apply to the current use case.

    Customers are responsible for their own due diligence prior to utilizing this information and agree that SecureAuth is not liable for any issues caused by misconfiguration directly or indirectly related to SecureAuth products.

    0 out of 0 found this helpful

    Comments

    0 comments

    Please sign in to leave a comment.

    Related articles

    Links:

    Identity Platform Documentation Portal
    Identity Platform Product Lifecycle Policy
    Global Support Policy

    Contact Support:

    Submit a Ticket
    Identity Platform Support: (866) 859-1526