Version Affected: All
Description:
When a User logs into an OpenID app for the first time, it works fine.
However, subsequent logins result in hitting a 2nd IdP and they see Server_Error
The Debug log shows
LogChannel="SA_DEBUG" FormatVersion="0.0.1" EventID="40999" Timestamp="2022-09-14T17:21:21.715Z" CompanyID="" ApplianceID="" Realm="" UserID="" BrowserSession="07427dfe-33f2-4297-83a3-914275be00ac" StateMachineID="" RequestID="b7e6d4ee-06dd-4e86-a905-df3a47be2ba2" UserHostAddress="" Message="[AuthorizeEndpoint].[ProcessConsent]: Exception: System.Security.Cryptography.CryptographicException: Error occurred during a cryptographic operation.
at System.Web.Security.Cryptography.HomogenizingCryptoServiceWrapper.HomogenizeErrors(Func`2 func, Byte[] input)
at System.Web.Security.FormsAuthentication.Decrypt(String encryptedTicket)
at SecureAuth.IdentityModel.OpenIDConnect.Handlers.AuthorizeEndpointHandler.GetCookieAuthenticationTime()
at SecureAuth.IdentityModel.OpenIDConnect.Handlers.AuthorizeEndpointHandler.ProduceResponseContent()
at SecureAuth.IdentityModel.OpenIDConnect.Endpoints.AuthorizeEndpoint.DeliverResponseContent()
at SecureAuth.IdentityModel.OpenIDConnect.Endpoints.AuthorizeEndpoint.ProcessConsent()"
Cause:
We create a Cookie at the time of first login. The secondary IdP's are unable to read it because the realms Machinekey setting is set to "Isolate Apps"
Resolution:
Generate the MachineKeys so that the Cookie works across all IdPs.
1. Open the Admin Console
2. Navigate to the PostAuth tab of the OpenID realm
3. Click on the "Click here to edit FormsAuth/SSO
4. Scroll to the Machine Keys section and click Generate
5. Click Save.
SecureAuth Knowledge Base Articles provide information based on specific use cases and may not apply to all appliances or configurations. Be advised that these instructions could cause harm to the environment if not followed correctly or if they do not apply to the current use case.
Customers are responsible for their own due diligence prior to utilizing this information and agree that SecureAuth is not liable for any issues caused by misconfiguration directly or indirectly related to SecureAuth products.
Comments
Please sign in to leave a comment.