Post-auth policy from one CBA or WSSE overwrites outcome of other auth policies (or lack of auth policy) with the same type - Known Error

Post-auth policy from one CBA or WSSE overwrites outcome of other auth policies (or lack of auth policy) with the same type Description When there are multiple auth profiles in an access policy (REST API Access Policy, SOAP API Access Policy, Processor Access Policy) for Certificate-based authentication or WSSE authentication, authentication may fail despite the user meeting the criteria of one of the authentication profiles.

Specifically, this occurs when one of the authentication profiles has an attached authentication policy which rejects the given user.

Steps to Reproduce

1. Set up SOAP with WSSE (see attached) 2. Add 2 authentication profiles both with only WSSE auth added 3. Add authentication policies to each. One should fail and the other should succeed. (Eg. add a user = admin and then a user = itil, and then try to do SOAP auth with admin user). The failing one cannot be only IP Access, it must have either role or user criteria. 4. Add both authentication profiles to the SOAP API Access Policy for the SOAP API being used 5. They are executed in the order they are added (most recent first). When the authentication profile with the failing auth policy executes first, authentication fails. When the successful one executes first the authentication succeeds.

Also: The error message shows that the one auth profile failed because the other auth profile failed (because cached authentication result includes the error with which profile failed): 2025-09-19 03:49:17 (896) API_INT-thread-2 SYSTEM txid= AuthLog DEBUG: Auth: Authentication failed with profile ID and error message: Authentication profile : postAuth policy check failed, detail message: null

Expected: Authentication should always succeed when one of the auth profiles would succeed on its own Actual: Post-Auth failure result is cached and applied to subsequent auth of the same type (WSSE profile 1 to WSSE profile 2 or CBA profile 1 to CBA profile 2)

Same happens with CBA auth profiles

Workaround When adding certificate-based authentication or WSSE authentication profiles in an API Access Policy (rest, soap or processor), combine all authentication profiles and policies into a single profile/policy.