Hi,
Thank you.
I have checked many times, and the problem still remains. Following the idea that the issue is related to the ACL, I found the cause: the reverse proxy was pointing to the secondary Policy Server, whose policy database is not updated, even though it appears fine via LMI. However, when I used the pdadmin policy-db-dump, I was able to confirm that the policy database is not being updated.
After I manually updated the master-host entry in the reverse proxy, the redirection started working.
------------------------------
Rudy Santos
------------------------------
Original Message:
Sent: Thu August 14, 2025 05:22 AM
From: Tushar Prasad
Subject: OIDC RP Federation kickoff
HI
could you validate kickoff url ( mostly the Reverse Proxy utility of Federation configuration adds correct ACLs) , most common reason is correct formation of kickoff url
https://<Reverse Proxy FQDN>/<junctionname>/sps/oidc/rp/<federationname>/kickoff/<partnername>?Target=xx
------------------------------
Tushar
Tushar
Original Message:
Sent: Wed August 13, 2025 01:00 PM
From: Rudy Santos
Subject: OIDC RP Federation kickoff
Hello,
I created a federation configuration where IVIA is acting as a relying party. For some reason, when I call the /kickoff endpoint to have the browser redirected to the OIDC provider, IVIA is requesting user authentication before proceeding with the redirect. I have double-checked the ACLs, analysed the pdweb.debug and reviewed the configuration, but I couldn't find the reason why the /kickoff endpoint is protected.
Is there a way to enable ACL debugging or logging to identify the source of the issue?
------------------------------
Rudy Santos
------------------------------