You might encounter the following issues while working with the authentication service (OSP):
OSP creates oidpInstanceData attribute (Case Ignore, Single Valued String) for a user when the user logs in to the identity applications for the first time through OSP. OSP modifies this attribute each time a user logs in and out of the identity applications.
When a user is logged in, OSP adds a login entry to the attribute in base64 encoded and encrypted value format.
When the user logs out, OSP removes or modifies the login entry. When the user logs in again, OSP updates the entry. When the user logs out, OSP removes that login entry from the attribute.
When the user logs in again, OSP updates the entry. When the user logs out, OSP removes that login entry from the attribute.
When the user closes the browser instead of logging out, OSP does not remove the login entry because closing the browser does not involve a logout action. If the user continues to log in without logging out, the size of the entry grows large. This prevents OSP from updating the attribute and causes login failure for the user.
Note that a logout operation can only remove the entry for the login it is mapped or matched to. For example, if a user logs in three times and does not log out for these logins, and if the user logs in and out one more time, OSP removes this login entry.
If a user is not required to log out from the identity applications, perform one of the following actions to manage the size of the oidPInstancedata attribute:
Shorten the validity period of the login entry for the user. This allows OSP to automatically remove the login entry for the user. The validity period is controlled by Refresh token lifetime (hours) setting for OSP in the ConfigUpdate utility. The default value to store a login entry is 48 hours (2 days). After making the change in the ConfigUpdate utility, restart the Tomcat server where OSP is deployed.
Periodically delete the oidpInstanceData attribute from the user by using an LDAP based tool (iManager, jXplore, Apache Studio, and so on).
OSP cannot update the oidpInstanceData attribute for a user if one of the following conditions is true:
When the attribute is full with user’s login entries.
When the user logs in again, OSP fails to update the attribute with the new login entries because of insufficient space to store the entries. However, you can change the maximum length for storing the login entries based on your requirement.
The user does not does not have sufficient rights in the Identity Vault.
The OSP schema has not been extended in the Identity Vault and the user does not have this attribute.