Problem With the Self-Service Password Reset Feature
book
Article ID: 129784
calendar_today
Updated On:
Products
CA Identity ManagerCA Identity GovernanceCA Identity Portal
Issue/Introduction
If have Identity Manager configured to be integrated with SiteMinder with a cluster of policy servers, you may encounter a situation where you get redirected to the password services URL for IM to change a password for Password Must Change flag or a Forgotten Password task and after submitting your change, you get logged out of the system and see the following error in the Identity Manager log:
Unable to determine user from SiteMinder token: No items found
Environment
Identity Manager 12.x and 14.x SiteMinder Policy Server 12.x
Cause
IM uses the SMTOKEN value in the URL header to validate the user that is the subject of the password change. In a SiteMinder cluster, some network delays may cause the SMTOKEN to be invalid by the time it is validated on a different node than the initial policy server that issued the token.
Resolution
To resolve this, modify the /iam_im.ear/policy-server.rar/META-INF/ra.xml to only validate the original request to the password services URL by changing the following setting to false: