SMSESSION cookie being issued to AuthHub locked out users when submitting ID Token Hint(IDTH).
search cancel

SMSESSION cookie being issued to AuthHub locked out users when submitting ID Token Hint(IDTH).

book

Article ID: 373829

calendar_today

Updated On:

Products

SITEMINDER VIP Authentication Hub CA Single Sign On Federation (SiteMinder) CA Single Sign On Secure Proxy Server (SiteMinder)

Issue/Introduction

This is an environment where SiteMinder and VIP AuthHub is integrated.

Both have Account Management (to lock out user after 3 failed attempts) configured.

User tries login with wrong password 3 times and the account gets locked out.

But when submitting IDTH for this user from previous interaction, SiteMinder issues SMSESSION cookie.

VIP AuthHub still reports the account status is locked.

Environment

SiteMinder and VIP AuthHub integration

Cause

SiteMinder and VIP AuthHub has password/account management enabled but they are using separate attribute for the account status.

When VIP AuthHub locked out the user and the userattribute for "status" was correctly set to "2" (meaning status disabled) but SiteMinder is reading different attribute for the "Disabled state" which had "0" (meaning status normal) so SMSESSION was issued.

 

 

Resolution

When setting up password/account management, both products must use the same user directory and use the same user attribute for account status.

SiteMinder User Directory Attribute Mapping Sample. In this case "employeeType" attribute was used for "Disabled Flag".

 

VIP AuthHub Identity Store attribute mapping sample. In this case "employeeType" attribute was used for "status".

 

Only when both are configured with the same attribute, SiteMinder detects the current status of the user account and does not issue SMSESSION when the account is Disabled.

 

Powered by Wolken Software