Reauthentication with AAF - fingerprints


we have the following situtation/Usecase/problem:

Situation: SecureLogin with AAF integration for the use of MFA via "Reauthentication" to secure applications (fingerprint)

UseCase: User wants to log in to an application -> SecureLogin triggers reauthentication via AAF -> the user must log in with a fingerprint via AAF

Problem: When calling up the AAF via "Reauthentication", the message "No chains found" is displayed. However, the corresponding method/chain is enrolled in the AAF enrollment portal and can also be used to login in the portal.

Any special notes:
The customer probably has quite strong security settings active on the Windows client. Be it GPOs or additional safeguards.

In general, the fingerprint recognition is not always clean, even in the AAF itself it does not always work, but basically it works. Only when the call is made via SecureLogin/Reauthentication does it not seem to be able to recognize the chains properly.

The chain itself in the AAF also only consists of the fingerprint and nothing else. Likewise, if I adjust the AAF event stored in the SecureLogin (add/remove chain), the SecureLogin recognizes that other chains are now available for selection.

The SecureLogin endpoint in the AAF is also updated cleanly if you do something in this direction (attribute: LastSession)

The log files are not very helpful, on AAF site I don't find any entries and in the SSODebug Log I can only find:

T(03/08/24 09:24:10) AASDKLite  T1984:AbortDASCardWait:DAS Card Wait Abort result - -2.

T(03/08/24 09:24:10) AASDKLite  T1984:slSDKReauthenticate: Prompting end user to Enter their Credentials

T(03/08/24 09:24:10) AASDKLite  T1984:slSDKReauthenticate: username - 2fa.testuser, chain - Dummy_Fingerprint.

Does anyone have any ideas about which logs I could take a closer look at to find a possible error, or any general experience with this use case?
Or, do certain settings have to be active for the fingerprint to be usable with SecureLogin?


Best Regards


  • Hello TobiasR,

    A good place to start is checking at the ssodebug log and the uwsgi log from AAF. 

    What happens if you add another method to the chain like LDAP+fingerprint, does it work?

    With "No chains found"  I would normally suggest to check if the group has been assigned correctly to the chain in AAF.

    Feel free to open a support case so we can help you resolve this.