Problem With the Self-Service Password Reset Feature

book

Article ID: 129784

calendar_today

Updated On:

Products

CA Identity Manager CA Identity Governance CA Identity Portal

Issue/Introduction

If have Identity Manager configured to be integrated with SiteMinder with a cluster of policy servers, you may encounter a situation where you get redirected to the password services URL for IM to change a password for Password Must Change flag or a Forgotten Password task and after submitting your change, you get logged out of the system and see the following error in the Identity Manager log:

Unable to determine user from SiteMinder token: No items found

Cause

IM uses the SMTOKEN value in the URL header to validate the user that is the subject of the password change. In a SiteMinder cluster, some network delays may cause the SMTOKEN to be invalid by the time it is validated on a different node than the initial policy server that issued the token.

Environment

Identity Manager 12.x and 14.x
SiteMinder Policy Server 12.x

Resolution

To resolve this, modify the /iam_im.ear/policy-server.rar/META-INF/ra.xml to only validate the original request to the password services URL by changing the following setting to false:

fig-property>
            <config-property-name>ValidateSMHeadersWithPS</config-property-name>
            <config-property-type>java.lang.String</config-property-type>
            <config-property-value>false</config-property-value>

Restart the IAM service after saving this change. This should resolve the token resolution moving forward.