HI,
I'm trying to configure ISAM AAC to request the user a TOTP and a Mail OTP when accesing some object, now for this i follow IBM videos and infocenter documentation:
https://www.youtube.com/watch?v=VrQF450QCgM
https://www.youtube.com/watch?v=yL63HmnDkEM
https://www.ibm.com/developerworks/security/library/se-accessmanager/index.html
Now, on the beginning the configuration works fine, but after a time im gettin an error on the OTP login page:
User error FBTAUT004E Authentication service receives invalid state ID [db3688c0-5d89-4414-b4a1-8af0cf330f4f]. Ensure that you do not use back button on the browser or perform multiple authentication processes in the same browser. Please re-access the protected resource. /sps/authsvc 2019-03-26T22:27:41Z Error details Stack trace com.tivoli.am.fim.authsvc.automaton.action.InteractorException at com.tivoli.am.fim.authsvc.protocol.delegate.AuthSvcDelegate$1.doProcessState(AuthSvcDelegate.java:422) at com.tivoli.am.fim.authsvc.protocol.delegate.AuthSvcDelegate$1.doPrepareState(AuthSvcDelegate.java:391) at com.tivoli.am.fim.authsvc.protocol.delegate.AuthSvcDelegate$1.execute(AuthSvcDelegate.java:138) at com.tivoli.am.fim.authsvc.protocol.delegate.AuthSvcDelegate$1.execute(AuthSvcDelegate.java:118) at com.tivoli.am.fim.authsvc.automaton.state.InteractorState.execute(InteractorState.java:57) at com.tivoli.am.fim.authsvc.automaton.state.InteractorState.execute(InteractorState.java:49) at com.tivoli.am.fim.authsvc.automaton.state.ContainerState.execute(ContainerState.java:114) at com.tivoli.am.fim.authsvc.automaton.state.ContainerState.execute(ContainerState.java:104) at com.tivoli.am.fim.authsvc.protocol.delegate.AuthSvcDelegate.processRequest(AuthSvcDelegate.java:613) at com.tivoli.am.fim.fedmgr2.proper.FederationManager.doInitialRequestOnDelegate(FederationManager.java:424) at com.tivoli.am.fim.fedmgr2.proper.FederationManager.finishProcessingWithDelegateId(FederationManager.java:264) at com.tivoli.am.fim.fedmgr2.proper.FederationManager.processRequest(FederationManager.java:154) at com.tivoli.am.fim.fedmgr2.servlet.SSOPSServletBase.doRequest(SSOPSServletBase.java:129) at com.tivoli.am.fim.fedmgr2.servlet.SPSCommandDispatcher.invoke(SPSCommandDispatcher.java:390) at com.tivoli.am.fim.war.runtime.liberty.LibertyRuntimeServlet.doGet(LibertyRuntimeServlet.java:56) at javax.servlet.http.HttpServlet.service(HttpServlet.java:687) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:1290) at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:778) at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:475) at com.ibm.ws.webcontainer.filter.WebAppFilterChain.invokeTarget(WebAppFilterChain.java:148) at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:79) at com.ibm.ws.webcontainer.filter.WebAppFilterManager.doFilter(WebAppFilterManager.java:1021) at com.ibm.ws.webcontainer.filter.WebAppFilterManager.invokeFilters(WebAppFilterManager.java:1143) at com.ibm.ws.webcontainer.servlet.CacheServletWrapper.handleRequest(CacheServletWrapper.java:82) at com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:956) at com.ibm.ws.webcontainer.osgi.DynamicVirtualHost$2.run(DynamicVirtualHost.java:280) at com.ibm.ws.http.dispatcher.internal.channel.HttpDispatcherLink$TaskWrapper.run(HttpDispatcherLink.java:967) at com.ibm.ws.http.dispatcher.internal.channel.HttpDispatcherLink.wrapHandlerAndExecute(HttpDispatcherLink.java:359) at com.ibm.ws.http.dispatcher.internal.channel.HttpDispatcherLink.ready(HttpDispatcherLink.java:318) at com.ibm.ws.http.channel.internal.inbound.HttpInboundLink.handleDiscrimination(HttpInboundLink.java:471) at com.ibm.ws.http.channel.internal.inbound.HttpInboundLink.handleNewRequest(HttpInboundLink.java:405) at com.ibm.ws.http.channel.internal.inbound.HttpInboundLink.processRequest(HttpInboundLink.java:285) at com.ibm.ws.http.channel.internal.inbound.HttpInboundLink.ready(HttpInboundLink.java:256) at com.ibm.ws.channel.ssl.internal.SSLConnectionLink.determineNextChannel(SSLConnectionLink.java:1043) at com.ibm.ws.channel.ssl.internal.SSLConnectionLink.readyInboundPostHandshake(SSLConnectionLink.java:709) at com.ibm.ws.channel.ssl.internal.SSLConnectionLink.readyInbound(SSLConnectionLink.java:557) at com.ibm.ws.channel.ssl.internal.SSLConnectionLink.ready(SSLConnectionLink.java:325) at com.ibm.ws.tcpchannel.internal.NewConnectionInitialReadCallback.sendToDiscriminators(NewConnectionInitialReadCallback.java:174) at com.ibm.ws.tcpchannel.internal.NewConnectionInitialReadCallback.complete(NewConnectionInitialReadCallback.java:83) at com.ibm.ws.tcpchannel.internal.WorkQueueManager.requestComplete(WorkQueueManager.java:504) at com.ibm.ws.tcpchannel.internal.WorkQueueManager.attemptIO(WorkQueueManager.java:574) at com.ibm.ws.tcpchannel.internal.WorkQueueManager.workerRun(WorkQueueManager.java:929) at com.ibm.ws.tcpchannel.internal.WorkQueueManager$Worker.run(WorkQueueManager.java:1018) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1160) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) at java.lang.Thread.run(Thread.java:785)
This happens for a TOPT using IBM verify or Google Authenticator, and also for the OTP when is being send by mail to the user, the behavior after a while this error disappears but! if a log out from the user the error comes back.
Now, every operation that needs the AAC presents errors on the executions. (Test this with reCAPTCHA, USER Password Recovery.)