search cancel

Error : Failed to update persistent session in Session Services in SSO

book

Article ID: 187439

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

 

When running 2 Policy Servers (A and B) and when the user login into a persistent realm in environment A, when it tries to reach a non-persistent realm in environment B, he's challenged again.    

The Policy Server in environment B reports:

  [CSm_Auth_Message::SendReply][** Status: Not Validated. Failed to update persistent session in Session Services]
  User session should be accepted without having to challenge again.

Note that if both environments realms are non-persistent, then the user doesn't get challenged again.

 

Environment

 

  Policy Server 12.8SP3 on RedHat 6;
  Policy Server 12.52SP1 on RedHat 6;

 

Resolution

 

At first glance, the flow works as designed, as the SMSESSION cookie has SessionSpec data which includes if the Session is persistent or not (1).

In this specific use case, the SessionSpec SessionPersistent data is set, then, when validating the session, the Policy Server from environment B tries to find the data in a Session Store, and as it cannot find the data in a Session Store, it reports the error.

To get SSO, realms should be the same type and not a mixture of persistent and not persistent.

When realms are persistent, Session Store should be shared between the environments, for each of them to find the Session that brings the SMSESSION and to be able to validate it without having to ask for credentials. Both environments should share the same Session Store.

 

Additional Information

 

(1)

    What information is stored in the SMSESSION Cookie

      SESSIONSPEC can only be decrypted by Policy server. It contains
      following information :

      SessionPersistent