CA Single Sign On Secure Proxy Server (SiteMinder)AXIOMATICS POLICY SERVERCA Single Sign On SOA Security Manager (SiteMinder)CA Single Sign-On
Customer is trying to use Identity Mapping for Federation and getting FAILED_AUTHEX error in the affwebserv.log
Use case: Step1. User1 logon from Userstore1(CA Directory) and access /application1/index.html --> Works Step2. User1 access /application2/index.html which has directory mapping to Userstore2(AD) --> Works Step3. User1 federate to partnership1(Userstore1 authorized) --> Works Step4. User1 federate to partnership2(Userstore2 authorized) --> Fail
Why is the Identity Mapping not working for federation?
CA SSO R12.x
This is an expected behavior. User1 login by Userstore1 so the user session would be based on Userstore1. This User1 can federate at step 3 because federation is configured with same userstore and the user is authorized for federation. When user tries to federate at step4, the authentication userstore and the federation userstore is different. This means the user would be "NOT AUTHORIZED" thus 403 error with "FAILED_AUTHEX". This Identity Mapping with federation has been a known limitation with the product for many years. There is an enhancement request which is accepted by Product Management which is projected to be introduced in R14.
Link to Enhancement Request is as below. https://communities.ca.com/ideas/235714647-identity-mapping-for-federation
You can also join CA Validation program to take a look at the proposed Identity Mapping feature at the following link. https://validate.ca.com/project/home.html?cap=0a68dd7ca76e4c8f964ff856033c3905 After login, select Single Sign-On product and search for "Identity Mapping for SAML" You will see a PDF document demonstrating the proposal.
### WORKAROUND ### 1. Customer can add the authentication userstore to the federation and write a custom assertion generator to fetch the user attributes from the other userstore. 2. Creative discussion with CA Services to find other options. Please reach out to CA Account Manager for further discussion.