Problem With the Self-Service Password Reset Feature


Article ID: 129784


Updated On:


CA Identity Manager CA Identity Governance CA Identity Portal


If have Identity Manager configured to be integrated with SiteMinder with a cluster of policy servers, you may encounter a situation where you get redirected to the password services URL for IM to change a password for Password Must Change flag or a Forgotten Password task and after submitting your change, you get logged out of the system and see the following error in the Identity Manager log:

Unable to determine user from SiteMinder token: No items found


IM uses the SMTOKEN value in the URL header to validate the user that is the subject of the password change. In a SiteMinder cluster, some network delays may cause the SMTOKEN to be invalid by the time it is validated on a different node than the initial policy server that issued the token.


Identity Manager 12.x and 14.x
SiteMinder Policy Server 12.x


To resolve this, modify the /iam_im.ear/policy-server.rar/META-INF/ra.xml to only validate the original request to the password services URL by changing the following setting to false:


Restart the IAM service after saving this change. This should resolve the token resolution moving forward.