SSO Policy Server Illegal characters in username
Article ID: 188755
Updated On:
Products
CA Single Sign On Secure Proxy Server (SiteMinder)
CA Single Sign On Agents (SiteMinder)
CA Single Sign On Federation (SiteMinder)
CA Single Sign On SOA Security Manager (SiteMinder)
SITEMINDER
Issue/Introduction
We are observing some illegal characters in username messages in smaccess log:
AuthAttempt fishbone [15/Apr/2020:11:11:11 +0100] "10.1.1.46 qudjCAT77&c*m" "mywebagent GET /secure/loginforwarddev" [] [46] Illegal characters in username [] []
We would like to know the list of of characters which are considered illegal by Siteminder
AuthAttempt fishbone [15/Apr/2020:11:11:11 +0100] "10.1.1.46 qudjCAT77&c*m" "mywebagent GET /secure/loginforwarddev" [] [46] Illegal characters in username [] []
We would like to know the list of of characters which are considered illegal by Siteminder
Environment
Release : 12.52
Component : SITEMINDER -POLICY SERVER
Resolution
There are 3 characters which if used in username, policy server will give the error "illegal characters in username" and they are: * & Username shouldn't be enclosed within parentheses
This has been part of the product since day one and is not a configurable option.
The reason for this is that these characters have special meaning in LDAP search queries, the query will be broken / return unexpected results with this characters being used not for searching purposes.
This has been part of the product since day one and is not a configurable option.
The reason for this is that these characters have special meaning in LDAP search queries, the query will be broken / return unexpected results with this characters being used not for searching purposes.
Additional Information
While this is all relevant, there has been a fix included in SiteMinder 12.52 SP1 CR5 to allow & to be used in username / email for login purposes
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-52-01/release-notes/cumulative-releases/defects-fixed-in-12-52-sp1-cr05.html
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-52-01/release-notes/cumulative-releases/defects-fixed-in-12-52-sp1-cr05.html
|
0215858
|
DE68366
|
The authentication fails if the username contains &.
|
In addition, the registry key AllowUserNameWithinParentheses can be used to allow a user name within parentheses to be specified
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-7/configuring/policy-server-configuration-files/list-of-policy-server-registry-keys.html
Feedback
Yes
No
Powered by
