Running CA Access Gateway (SPS) integrated with VIP Authentication Hub, when a user has a "must change password" status in the SiteMinder User Store, the user is not redirected to the password services page as expected. Instead, the flow continues and fails, and the secondary authentication fails.

The CA Access Gateway (SPS) receives this URL to handle:

  [06/28/2024][13:40:10.500][13:40:10][9356][988][SmMessage.cpp:568][CSmMessage::ParseAgentMessage][s20400/r216][][][][][][][][][][][][][][][][][][][/affwebservices/public/bctokencontroller?error=INVALID_REQUEST&error_description=User%20is%20inactive&state=-SM-<value>&GUID=<value>&REALMOID=<value>&SMAUTHREASON=56&METHOD=GET&SMAGENTNAME=-SM-<value>&TARGET=-SM-https%3a%2f%2fconsole%2eexample%2ecom%2f&SMNONCE=<value>&CHALLENGE-METHOD=S256&error_code=0000060][Receive request attribute 201, data size is 616]

The VIP Authentication Hub reports the user being inactive:

  INVALID_REQUEST User is inactive

For the Disabled Flag in the User Directory, according to the SiteMinder documentation, the attribute should be a string, and it should allow more than 2 characters, and it should be readable and writable (1).

  | Attribute Name     | Data Type | Directory Types | Description          |
  |--------------------+-----------+-----------------+----------------------|
  | Disabled Flag (RW) | string    | LDAP            | Specifies the user's |
  |                    |           | Database        | account status.      |

Using an attribute like CountryCode is not advisable, as it has only 2 bytes (2).

Set the Status attribute to the carLicense attribute instead of employeeType. The attributes should be the same for SiteMinder and VIP Authentication Hub (3).

1. Directory Attributes Overview
   
   
2. Country-Code attribute
   
   
3. Prerequisites to Implement the Integration