LOGIN_FAILED Failure when authenticating with AuthRestService Authentication on CA Access Gateway (SPS)
search cancel

LOGIN_FAILED Failure when authenticating with AuthRestService Authentication on CA Access Gateway (SPS)

book

Article ID: 101626

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign-On SITEMINDER CA Single Sign On Agents (SiteMinder)

Issue/Introduction

Calls to the `/authazws/AuthRestService/login` endpoint fail to authenticate users, returning a `LOGIN_FAILED` result despite valid credentials.

  • CA Access Gateway (SPS):

     Requests to "/authazws/AuthRestService/login" consistently fail on newer SiteMinder 12.8SP2 and higher instances while succeeding on legacy 12.8SP1 and lower instances.
        
  • Policy Server Test Tool:

    Authentication succeeds when tested directly against the Policy Server.
      
  • smps.log / smtracedefault.log: Reports LDAP search filter errors:
        
    "[ERROR][sm-Ldap-00650] CSmDsLdapProvider::Search(): Wrong syntax of LDAP search filter: (uid=)"

  • sps-trace.log:

    Indicates the user identity is not captured:
        
    "User 'unknown' is not authenticated by Policy Server."

  • server.log: SiteMinder headers are empty:

    "Header SM_USERDN :
    ""Header SM_USER :"

  • Web Services Response seen in Wireshark network traces:
    <loginResponse>
      <authenticationResponses/>
      <message>Authentication Failed</message>
      <resultCode>LOGIN_FAILED</resultCode>
    </loginResponse>

Environment

Policy Server and CA Access Gateway (SPS) 12.8SP2

Cause

A schema change in the REST API request body occurred between SiteMinder 12.8SP1 and 12.8SP2 (1). The XML tag for the user identity is case-sensitive. SiteMinder 12.8SP1 and older version require the tag `<username>` (lowercase 'n'), whereas version 12.8SP2 and higher accepted `<userName>`. Using the incorrect casing results in the CA Access Gateway (SPS) failing to pass the user attribute to the Policy Server, causing an empty LDAP search filter "(uid=)".

Resolution

Update the XML request body in the client application or Security API to use the uppercase "<userName>" tag.

Correct XML (12.8SP2 and higher syntax):

<loginRequest> 
  <binaryCreds></binaryCreds> 
  <userName>USERNAME</userName> 
  <password>PASSWORD</password> 
  <action>GET</action> 
</loginRequest>

Incorrect XML (12.8SP1 and lower syntax):

<loginRequest> 
  <binaryCreds></binaryCreds> 
  <username>USERNAME</username> 
  <password>PASSWORD</password> 
  <action>GET</action> 
</loginRequest>

Additional Information

  1. Authentication REST Interface

Powered by Wolken Software