SiteMinder : User unauthorized with AZ Mapping when both User Directory in 1 Domain
search cancel

SiteMinder : User unauthorized with AZ Mapping when both User Directory in 1 Domain

book

Article ID: 263010

calendar_today

Updated On:

Products

SITEMINDER

Issue/Introduction

When running Policy Server, and protecting a resource involving 2 different User Directories A and B in the Domain.

Once the user gets disabled in User Directory A because of a Password Policy triggered, then the Disable Flag is correctly set for both User Directory A and B.

The Password Policy configured for both User Directories consists of disabling for 2 minutes a user who has entered three times a wrong password.

Once the user logs in with the right password after 2 minutes, the user from Authentication User Directory A gets the disable flag set to 0, when the same user in the User Directory B disable flag keeps being set to 2.

This causes the User not to be authorized because the AZ-Mapping has User Directory A as Authentication Directory and User Directory B as the Authorization Directory.

 

Resolution

Use a duplicated configuration of the Authorization User Directory to attach to the Domain. So the way to solve the issue is:

  • Remove the Authorization (AZ) Directory from the Domain;
  • Create another instance of the same Authorization (AZ) Directory with a different name, and add it to the Domain;

So the Domain will have still 2 User Directories, and the one used for the AZ Mapping will be outside the Domain.

To illustrate:

Reproducing this issue with this configuration:

  | Object                | Config                                |
  |-----------------------+-----------------------------------    |
  | Domain                | mapping                               |
  | User Stores           | user-store                            |
  |                       | user-store-az                         |
  | Realm                 | Authorization Mapping                 |
  | Authorization Mapping | Authentication Directory user-store   |
  |                       | Authorization Directory user-store-az |
  |                       | Identical DNs                         |
  • Remove user-store-az from the Domain;
  • Create user-store-az-clone User Store (with the same configuration as user-store-az);  
  • Add user-store-az-clone User Directory to the Domain:
  | Object                | Config                                |
  |-----------------------+-----------------------------------    |
  | Domain                | mapping                               |
  | User Stores           | user-store                            |
  |                       | user-store-az-clone                   |
  | Realm                 | Authorization Mapping                 |
  | Authorization Mapping | Authentication Directory user-store   |
  |                       | Authorization Directory user-store    |
  |                       | Identical DNs                         |

Now, the Password Policy is applied, and the disable flag for the Authorization (AZ) User Directory isn't changed, it keeps being 0. Thus the user will be authorized.

 

Powered by Wolken Software