After APIM upgraded to version 10.00, change password is not working via Siteminder API.
search cancel

After APIM upgraded to version 10.00, change password is not working via Siteminder API.

book

Article ID: 218099

calendar_today

Updated On:

Products

SITEMINDER CA Single Sign On Agents (SiteMinder)

Issue/Introduction

APIM assertion "Change CA Single Sign-On User Password"  is not working in upgraded new version 10.00.

Same policy was working on APIM version 9.4.

The user can change the password only if the user is in enabled state (0). 

When it is not in enabled state (0), user will be looping when prompted to change password.

Expectation is that product should allow user to change password for user states like “Sm_Api_Reason_ImmedPWChangeRequired”.

Currently when a user Sm_Api_Reason is set to enable 0, user can initiate ChangePassword, which works.

Any other user state fails like:  Sm_Api_Reason_ImmedPWChangeRequired = 20.

Per API gateway customer:

"If you manipulate the SiteMinder disabled flag in the user directory to 16777216, which returns the reason code 20, you can see the error that the "account is not enabled" in the response.

Sm_Api_Reason 7 is disabled. 

Sm_Api_Reason 1, 19, 20 are enabled states but password expired and should let the password be changed using the DMSAPI

Sm_Api_Reason 21,22 are error conditions in the password change flow. 

These do work with SiteMinder ( SSO) password services just not with the change password assertion in Layer7 gateway.

"

Environment

Siteminder Policy server Version: 12.8 SP4 build 2278

Siteminder Policy server OS: Windows 2016

APIM OS: centos 7

APIM version: upgraded 9.4 to 10.00 Version. 

Cause

This issue is caused by a change in SSO implementation for changePassword API in later 12.8 release.

Once fix is applied, APIM side test result becomes:

Set the disabled flag change password results:
0 - WORKS
1 - Fails: User account is not in enabled state.
2 -  Fails:  User account is not in enabled state
4 - Fails:  User account is not in enabled state.
8 - WORKS
16777216 - WORKS
 
Disabled Flag – user defined attribute possible values:
Disabled Reason Type Value 
Sm_Api_Disabled_DisabledMask Mask    0x00ffffff
Sm_Api_Disabled_Enabled Mask 0     
0
Sm_Api_Disabled_AdminDisabled   Bits    0x00000001
1
Sm_Api_Disabled_MaxLoginFail Bits    0x00000002
2
Sm_Api_Disabled_Inactivity  Bits    0x00000004
4
Sm_Api_Disabled_PWExpired   Bits    0x00000008
8
Sm_Api_Disabled_DirNativeDisabled   Bits    0x00000010
16
Sm_Api_Disabled_PWMustChange

Resolution

Dev fix is provided to customer on specific 12.8sp4 version.

Please follow below steps to apply dev fix. This dev fix is prepared on 12.8.04 GA version of SiteMinder policy server.

1. Stop policy server

2. Take backup of existing "smtransactems2.dll" from your<PS_Install_Location>\bin folder    //For Linux platform, it will be smtransactems2.so under ~siteminder/lib

3. Copy the provided dll from devfix to <PS_Install_Location>\bin folder

4. Start policy server.

DE506000-devfix.zip          https://supportftp.broadcom.com/0254314/32738815/files_from_broadcom/DE506000-devfix.zip

DE506000-devfix-linux.zip https://supportftp.broadcom.com/0254314/32738815/files_from_broadcom/DE506000-devfix-linux.zip

Additional Information

APIM issue 32737023 DE505874

Siteminder issue 32738815 DE506000

Powered by Wolken Software