SiteMinder: Unexpected Authentication Failure with ValidTargetDomain ACO
search cancel

SiteMinder: Unexpected Authentication Failure with ValidTargetDomain ACO


Article ID: 140305


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) SITEMINDER


Users are unexpectedly failing authentication.




The Web Agent trace log revealed that the URL domain of the TARGET during authentication was considered invalid, despite the domain in question appearing in the ValidTargetDomain parameter.

The problem was the list of valid target domains was entered into the ACO via a comma-separated list in single-value mode.

This could be easily seen by viewing the ACO in the AdminUI, and also in the Web Agent error log where the parameter was listed once with
comma-separated values.

When the values are input properly using Multi-Value input in the AdminUI, the Web Agent error log displays the parameter multiple  times, once for each value.




When adding multiple values to an ACO parameter in the AdminUI, always use the Multi-Value entry option when available.  This assures the multiple values are passed to the web agent as expected so that all values will be honored.

When specifying values for ValidTargetDomain as Multi-Value, the product doesn't force any limit about the amount of line that can be set. So many lines can be added as the Policy Store vendor accept.


Additional Information

Do not include a leading dot when adding values to the ValidTargetDomain parameter.

The Web Agent does not consider a leading dot when evaluating the target domain, thus including the leading dot in the parameter values will cause the values to be invalid.

This article also applies to the ValidFedTargetDomain parameter.

ACO = Agent Configuration Object