Product: TIBCO Spotfire®
User authentication loops if the user is not part of the user directory (OKTA + LDAP)
LDAP authentication with LDAP user directory works. Primary authentication is set to "Web Authentication". OpenID Connect is enabled with OKTA as the provider.
The user successfully authenticates with OKTA and a user principal is returned. The user principal fails the authorization check (because the user is not in the LDAP directory that Spotfire synchronizes with). Spotfire server denies access to the user.
Spotfire attempts to get a new token via OKTA in a new session to attempt authentication with OKTA again. The User Directory check fails again and the loop is created.
The logs also show that the authentication on OKTA is successful. However, since the user is not part of the Spotfire User Directory, it goes into a loop resulting in a blank page that keeps refreshing.
For the users who are not part of the user directory yet, the authentication should instead throw a message that the authorization was denied.
This has been been addressed in TIBCO Spotfire Server version 10.6.0 and also in earlier LTS versions: 7.11.6 and 10.3.3.