search cancel

PolicyServer blocks the Authentication in spite of SMAUTH_ACCEPT after upgrade from Version 12.52 to Version 12.8.

book

Article ID: 214431

calendar_today

Updated On:

Products

CA Single Sign On Agents (SiteMinder) SITEMINDER

Issue/Introduction

 

When running Policy Server, when user access a specific resource
protected by SDK Custom Authentication Scheme, then the authentication
fails. This happens when user disable state is 16777216.

 

Cause

 

It's as expected that if the user is asked to change its password, the
Policy Server won't authenticate fully the user as long as it hasn't
changed its password. This is so even if the Custom Authentication
Scheme sends SMAUTH_ACCEPT to the Policy Server.

There was an existing problem fixed in Policy Server 12.7 which
describes this behavior in 12.52 (1).

This issue was present in Policy Server 12.52SP1 too. In that issue
even if the user has disable state set to "16777216", then the Policy
Server overlooks it and logs in the user and grants access which
represents a security problem.

 

Environment

 

  Policy Server 12.8SP3 on RedHat 7;
   Openjdk 1.8.0_242;
  SDK 12.8SP3 on RedHat 7;
  User Store on Custom LDAP Directory 2.0.3;

 

Resolution

 

Make the Custom Agent to handle the smauthreason 20 code in order to
lead the user browser to the change password page.

 

Additional Information

 

(1)

    Defects Fixed in 12.7.02

      00831103 DE315869 

      CA Single Sign-On fails to redirect inactive or disabled users to
      password services URL, and allows the users to access applications.

    https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-7/release-notes/service-packs/defects-fixed-in-12-7-02.html