Unexpected Authentication Failure with ValidTargetDomain

book

Article ID: 140305

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) SITEMINDER

Issue/Introduction

Users are unexpectedly failing authentication.

Cause

The Web Agent trace log revealed that the URL domain of the TARGET during authentication was considered invalid, despite the domain in question appearing in the ValidTargetDomain parameter.  The problem was the list of valid target domains was entered into the ACO via a comma-separated list in single-value mode.  This could be easily seen by viewing the ACO in the AdminUI, and also in the Web Agent error log where the parameter was listed once with comma-separated values.  When the values are input properly using multi-value input in the AdminUI, the Web Agent error log displays the parameter multiple times, once for each value.

Environment

Release : 12.8

Component : SITEMINDER POLICY SERVER, WEB AGENTS

Resolution

When adding multiple values to an ACO parameter in the AdminUI, always use the Multi-Value entry option when available.  This assures the multiple values are passed to the web agent as expected so that all values will be honored.

Additional Information

Do not include a leading dot when adding values to the ValidTargetDomain parameter.  The Web Agent does not consider a leading dot when evaluating the target domain, thus including the leading dot in the parameter values will cause the values to be invalid.

This article also applies to the ValidFedTargetDomain parameter. 

ACO = Agent Configuration Object