Unable to Access SAML App - Authentication is Failing

book

Article ID: 140303

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) SITEMINDER

Issue/Introduction

Users are intermittently failing authentication with a generic login failure message.  Subsequent authentication attempts usually succeed.  External users seem more affected than internal users, although both experience intermittent failures.

Cause

The web agent serving the login form was running in FCCCompatMode (FCCCompatMode=yes). One of the web agents hosting the target application had its system clock set more than 5 minutes in the future. Since the FORMCRED cookie set by the login agent and processed by the target application agent has a five minute timeout, the cookie was rejected each time it was presented to this host and the authentication attempt failed.

Agents processing FORMCRED cookies will reject the cookie if it is either more than 5 minutes old, or appears to have been set in the future.

Environment

Release : All

Component : All Web Agents

Resolution

 Web agent system clocks need to be tightly in sync when FCCCompatMode=yes.