Layer7 API Management

Hello,

We are authenticating the users who is accessing the API against a group in  external identity provider and occasionally authentication fails although there is no change in the credentials that user is sending.

When we took a closer look at the ssg logs we found below entries which correlates to the time when we saw the authentication errors

com.l7tech.server.policy.assertion.identity.ServerMemberOfGroup: 4213: Assertions refer to a nonexistent group; policy may be corrupted.


Can someone explain why this is occurring? 

Thanks,
Adarsh

Hi Adarsh,

Does this only occur with one user in that group or affects multiple? Typically this does occur as the result of a policy corruption or migration.I've seen instances where the settings in the authentication assertion needed to be modified and resaved. However, you may wish to try and import a fresh copy or possibly recreate the policy to make sure nothing is corrupt.

Regards,
Joe
Original Message:
Sent: 11-11-2019 07:27 AM
From: Adarsh Shetty
Subject: Failure during authentication against external idp

Hello,

We are authenticating the users who is accessing the API against a group in  external identity provider and occasionally authentication fails although there is no change in the credentials that user is sending.

When we took a closer look at the ssg logs we found below entries which correlates to the time when we saw the authentication errors

com.l7tech.server.policy.assertion.identity.ServerMemberOfGroup: 4213: Assertions refer to a nonexistent group; policy may be corrupted.


Can someone explain why this is occurring?

Thanks,
Adarsh

Hello @Joe Dascole,

Thank you for responding to this thread.
We have put the authentication assertion inside encapsulated assertion and this Encapsulated assertion is being used across all the services.
If it was due to corrupt policy as you say, I was hoping that error would occur each time a request is received but that is not the case.
This is occurring occasionally for different users.

Thanks,
Adarsh
Original Message:
Sent: 11-11-2019 08:32 AM
From: Joe Dascole
Subject: Failure during authentication against external idp

Hi Adarsh,

Does this only occur with one user in that group or affects multiple? Typically this does occur as the result of a policy corruption or migration.I've seen instances where the settings in the authentication assertion needed to be modified and resaved. However, you may wish to try and import a fresh copy or possibly recreate the policy to make sure nothing is corrupt.

Regards,
Joe
Original Message:
Sent: 11-11-2019 07:27 AM
From: Adarsh Shetty
Subject: Failure during authentication against external idp

Hello,

We are authenticating the users who is accessing the API against a group in  external identity provider and occasionally authentication fails although there is no change in the credentials that user is sending.

When we took a closer look at the ssg logs we found below entries which correlates to the time when we saw the authentication errors

com.l7tech.server.policy.assertion.identity.ServerMemberOfGroup: 4213: Assertions refer to a nonexistent group; policy may be corrupted.


Can someone explain why this is occurring?

Thanks,
Adarsh