Authentication error occurs when additional authentication is required for RSA SecurID Access application portal or a protected application

3 years ago

Originally Published: 2018-04-05

Article Number

000041967

Applies To

RSA Product Set: SecurID Access

Issue

When attempting to access the IDR-hosted application portal with additional authentication required (or an application in the portal that requires additional authentication) the following error occurs:

Authentication error

The /var/log/symplified/symplified.log includes a message like:

2018-04-05/18:50:20.627/UTC [ajp-bio-8009-exec-7] WARN com.symplified.service.appliance.cloudmfa.CloudMFAUtils[37] - Failed strong authentication: AUTHN_ATTEMPT_ID_NOT_FOUND

The User Event Monitor shows an authentication failure with Authentication Details AUTHN_ATTEMPT_ID_NOT_FOUND.

Cause

Possible causes are:

The user is in an associated LDAP identity source but has not been synchronized to the Cloud yet.
The user has been synchronized to the Cloud but a step-up authentication is required and the user is not registered for any of the allowed step-up authentication options.
Two users in different identity sources are synchronized to the Cloud with the same user ID. A step-up authentication is required and at least one of the two users is not registered for any of the allowed step-up authentication options.

Resolution

First, use the Cloud Administration Console's User > Management page or run User Reports to check for user status, devices registered to a user, and to check for duplicate user id's. This will allow you to determine which possible cause applies.

Next, take the appropriate step below, depending on the cause of the issue, to ensure the user is correctly sync'd to the Cloud.

The user is in an associated LDAP identity source but has not been synced to the Cloud yet.

Follow the steps in Manually Synchronize an Identity Source for the Cloud Authentication Service to create a record of the user in the SecurID Access cloud service.

The user has been synced to the Cloud but a step-up authentication is required and the user is not registered for any of the allowed step-up authentication options.

Ensure that the user has a device registered to perform the required additional authentication. For example, see RSA SecurID Authenticate Device Registration Overview if approve (push notification) or authenticate tokencodes are allowable authentication methods.

Two users in different identity sources are sync'd to the Cloud with the same user id. A step-up authentication is required and at least one of the two users is not registered for any of the allowed step-up authentication options.

Delete the unwanted user from the Cloud Authentication Service, and from the identity source.

Lastly, ensure that the user has the ability to perform the required additional authentication. For example, see RSA SecurID Authenticate Device Registration Overview if approve (push notification) or authenticate tokencodes are allowable authentication methods, or ensure the user's correct telephone is registered for SMS or Voice Token Code authentication.

Don't see what you're looking for?

Related Articles

Trending Articles