If have Identity Manager configured to be integrated with SiteMinder with a cluster of policy servers, you may encounter a situation where you get redirected to the password services URL for IM to change a password for Password Must Change flag or a Forgotten Password task and after submitting your change, you get logged out of the system and see the following error in the Identity Manager log:
Unable to determine user from SiteMinder token: No items found
IM uses the SMTOKEN value in the URL header to validate the user that is the subject of the password change. In a SiteMinder cluster, some network delays may cause the SMTOKEN to be invalid by the time it is validated on a different node than the initial policy server that issued the token.
Identity Manager 12.x and 14.x
SiteMinder Policy Server 12.x
To resolve this, modify the /iam_im.ear/policy-server.rar/META-INF/ra.xml to only validate the original request to the password services URL by changing the following setting to false:
Restart the IAM service after saving this change. This should resolve the token resolution moving forward.