search cancel

CAAPI Gateway -"Authenticate Against CA Single Sign-On Assertion" is not working


Article ID: 190188


Updated On:


CA API Gateway API SECURITY CA API Gateway Precision API Monitoring Module for API Gateway (Layer 7) CA API Gateway Enterprise Service Manager (Layer 7) STARTER PACK-7 CA Microgateway


We are using CA Single Sign On & CA API Gateway to enable federated based SSO for one of the vendor hosted applications. But for some reason, the "Authenticate Against CA Single Sign-On" API Gateway assertion is unable to authenticate / validate the SMSESSION. 

"Unable to authenticate user using SSO Token"

I have checked the policy server logs but I couldn't find any errors in the smps.log & smtracedefault.log. 


Release : 9.3



Encryption type difference between COMPAT mode {RC2} and FIPS Only {AES}  - SSO term is MIGRATE mode 

Issue occurs when in MIGRATION mode , which is a cross between FIPS (FIPS 140-2 is a US government computer security standard {AES}) and COMPAT (BSAFE crypto.jar from RSA Security {RC2})

Gateway(GW) in migration mode with SSO SDK version specified does not handle MIX encryption for agent keys  

IN migration mode GW sets up trusted host in FIPS mode {AES}
The SPS agent is in MIgration Mode 

[Tue Feb 25 2020 08:12:36] FIPS 140 Cryptographic Mode is migration.
Keys are stored in the keys store as COMPAT mode {RC2}


Update SSO SDK on gateway to CA_SSO_SDK_Compact_v12.52.01.09.L7P

[[email protected] install_config_info]# more
ProductName=CA SiteMinder SDK

This version does a second pass to read the SMSESSION cookie first uses {RC2} then {AES}

Additional Information

Error request failure "Unable to authenticate user using SSO Token" can occur for a number of different reasons.  This KB covers one of them 

Steps to check if this KB applies 

First get the version of SSO SDK used by Gateway if it’s version this KB could apply 


[[email protected] install_config_info]# more
ProductName=CA SiteMinder SDK

Second turn on higher debug SSO log if reason logged is “Unable to decode ssotoken + 44wWzOEChx…….UZyMq”   this KB could apply
Set ssg log severity threshold to FINE in log sink properties window 

In the clusterwide properties for log.level can you add the siteminder line - need to see the reason SSO Token failed 

com.l7tech.level = FINE = FINE

Look for the following error if decode ssotoken this KB could apply

2020-04-20T19:52:34.515+0000 FINE    320 Unable to decode ssotoken + 44wWzOEChx…….UZyMq