ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Error : Failed to update persistent session in Session Services in SSO

book

Article ID: 187439

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

 

When running 2 Policy Servers (A and B) and when user login in a
persistent realm in environment A, when it tries to reach a non
persistent realm in environment B, he's challenged again.

The Policy Server in environment B reports :

  [CSm_Auth_Message::SendReply][** Status: Not Validated. Failed to update persistent session in Session Services]

User session should be accepted without having to challenge again.

Note that if both environments realms are non persistent, then user
doesn't get challenged again.

 

Environment

 

  Policy Server 12.8SP3 on RedHat 6;
  Policy Server 12.52SP1 on RedHat 6;

 

Resolution

 

At first glance, the flow works as designed, as the SMSESSION cookie
has a SessionSpec data which includes if the Session is persistent or
not (1). 

In this specific use case, the SessionSpec SessionPersistent data
is set, then, when validating the session, the Policy Server from
envrionment B tries to find the data in a Session Store, and as it
cannot find the data in a Session Store, it reports the error.

In order to get SSO, realms should be the same type, and not
a mixture of persistent and not persistent.

when realms are persistents, Session Store should be shared between
the environments, in order for each of them to find the Session that
bring the SMSESSION and to be able to validate it without having to
ask for credentials. Both environments should share the same Session
Store.

 

Additional Information

 

(1)

    What information is stored in the SMSESSION Cookie

      SESSIONSPEC can only be decrypted by Policy server. It contains
      following information :

      SessionPersistent

    https://knowledge.broadcom.com/external/article?articleId=45705