Smlimitauth attribute is getting updated but not stopping the user from accessing two different sessions in Policy Server
search cancel

Smlimitauth attribute is getting updated but not stopping the user from accessing two different sessions in Policy Server

book

Article ID: 414640

calendar_today

Updated On:

Products

SITEMINDER CA Single Sign-On

Issue/Introduction

Running smlimitauth with SiteMinder Policy Server, the smlimitauth attribute is getting updated, but it is not stopping users from accessing two different sessions.

The user does two logins - one from Edge and one from Chrome.

Cause

From the documentation, in the Troubleshooting section, it seems that this is a known issue to have the same user being able to get more than one session with Method 1 when there's no OnAuthAccept rule fired:

Troubleshooting

The Previous Session is Allowed to Continue

If your site uses 'Method One', ensure that the OnAuthAccept event is being processed by examining the Policy Server Authentication Log (SM V5.x) or the Policy Server Profile/Trace Log (SMV6.x). Also ensure that Authentication events are being processed for that Realm (see the 'Advanced' tab in the Realm Properties). Check for errors reported in the Policy Server Authentication Log (SM V5.x) or the Policy Server Profile/Trace Log (SMV6.x) by the Active Expression.

p.75

-

Method One

When a user successfully logs in, the OnAuthAccept rule is fired (assuming that one is defined within the realm into which the user is authenticating). The Login function will record the user's assigned session identifier into the user's directory entry in the attribute defined in the parameter field ('roomnumber' in the example above).

p.14

Indeed, looking further at both Policy Server traces, there's no OnAuthAccept rule fired.

It looks like there might be none defined.

For the user, at the authentication phase, there's no OnAuthAccept rule fired.

The Policy Server reports "No applicable Policy found":

smtracedefault.log:

[10/08/2025][13:37:48.424][13:37:48][18325][139727090521856][SmMessage.cpp:566][CSmMessage::ParseAgentMessage][s7554/r1130][][][][][][][][][][][][][][][][][][][10.0.0.1][Receive request attribute 208, data size is 12]
[10/08/2025][13:37:48.424][13:37:48][18325][139727090521856][SmMessage.cpp:566][CSmMessage::ParseAgentMessage][s7554/r1130][<agent>][][][][][][][][][][][][][][][][][][server.example.com][Receive request attribute 200, data size is 8]
[10/08/2025][13:37:48.424][13:37:48][18325][139727090521856][SmMessage.cpp:566][CSmMessage::ParseAgentMessage][s7554/r1130][<agent>][][][][][][][][][][][][][][][][][][][Receive request attribute 217, data size is 0]
[10/08/2025][13:37:48.424][13:37:48][18325][139727090521856][SmMessage.cpp:566][CSmMessage::ParseAgentMessage][s7554/r1130][<agent>][][][][][][][][][][][][][][][][][][/cert/redirect.aspx?SAML2IDPID=identity.example.net][Receive request attribute 201, data size is 59]
[10/08/2025][13:37:48.424][13:37:48][18325][139727090521856][SmMessage.cpp:566][CSmMessage::ParseAgentMessage][s7554/r1130][<agent>][][][][][][][][][][][][][][][][][][GET][Receive request attribute 202, data size is 3]
[10/08/2025][13:37:48.424][13:37:48][18325][139727090521856][SmMessage.cpp:566][CSmMessage::ParseAgentMessage][s7554/r1130][<agent>][][][][][][][][][][][][][][][][][][][Receive request attribute 204, data size is 39]
[10/08/2025][13:37:48.424][13:37:48][18325][139727090521856][Sm_Auth_Message.cpp:780][CSm_Auth_Message::AuthenticateUser][][<agent>][/cert/redirect.aspx?SAML2IDPID=identity.example.net][][][<realm>][<SAML>][][][][][][][][][][][][][][Authenticating user.]
[10/08/2025][13:37:48.436][13:37:48][18325][139727090521856][SmAuthUser.cpp:5460][CSmAuthUser::Authenticate][][][][][][][][<authentication_scheme>][][][][][][][][][][][][LDAP://10.0.0.2:55630/uid=<user>,ou=users,dc=example,dc=com][Authenticating user by the auth scheme]
[10/08/2025][13:37:48.442][13:37:48][18325][139727090521856][SmAuthSaml.cpp:2027][SmAuthenticate][][][][][][][][][][][][][][][][][][][][][SAML Auth Scheme returning auth state: 2, auth reason: 0.]
[10/08/2025][13:37:48.443][13:37:48][18325][139727090521856][SmAuthUser.cpp:782][ServerTrace][][][][][][][][][][][][][][][][][][][][Starting.][SmLimitAuthLogin: Starting.]
[10/08/2025][13:37:48.444][13:37:48][18325][139727090521856][SmAuthUser.cpp:782][ServerTrace][][][][][][][][][][][][][][][][][][][][About to flush the cache for uid=<user>,ou=users,dc=example,dc=com][SmLimitAuthLogin: About to flush the cache for uid=<user>,ou=users,dc=example,dc=com]
[10/08/2025][13:37:48.448][13:37:48][18325][139727090521856][SmAuthorization.cpp:2325][CSmAz::IsOkGlobal][][][][][][<realm>][<SAML>][][][][][][][][][][][][][][Evaluating OnAuthAccept global policies in the realm.]
[10/08/2025][13:37:48.448][13:37:48][18325][139727090521856][SmAuthorization.cpp:1854][CSmAz::IsOk][][][][][][][][][][][][][][No applicable Policy found. ][][][][][][][IsOk? No.]
[10/08/2025][13:37:48.519][13:37:48][18325][139727090521856][Sm_Auth_Message.cpp:4903][CSm_Auth_Message::SendReply][s7554/r1130][<agent>][][][][<realm>][<SAML>][<authentication_scheme>][][][][][][][][][][][][][** Status: Authenticated. ]

--

[10/08/2025][13:39:26.043][13:39:26][18325][139727107307264][CServer.cpp:6311][CServer::ProcessRequest][][][][][][][][][][][][][][][][][][][][][Enter function CServer::ProcessRequest]
[10/08/2025][13:39:26.043][13:39:26][18325][139727107307264][SmMessage.cpp:566][CSmMessage::ParseAgentMessage][s7554/r1135][][][][][][][][][][][][][][][][][][][10.0.0.1][Receive request attribute 208, data size is 12]
[10/08/2025][13:39:26.043][13:39:26][18325][139727107307264][SmMessage.cpp:566][CSmMessage::ParseAgentMessage][s7554/r1135][<agent>][][][][][][][][][][][][][][][][][][server.example.com][Receive request attribute 200, data size is 8]
[10/08/2025][13:39:26.043][13:39:26][18325][139727107307264][SmMessage.cpp:566][CSmMessage::ParseAgentMessage][s7554/r1135][<agent>][][][][][][][][][][][][][][][][][][/cert/redirect.aspx?SAML2IDPID=identity.example.net][Receive request attribute 201, data size is 59]
[10/08/2025][13:39:26.043][13:39:26][18325][139727107307264][SmMessage.cpp:566][CSmMessage::ParseAgentMessage][s7554/r1135][<agent>][][][][][][][][][][][][][][][][][][GET][Receive request attribute 202, data size is 3]
[10/08/2025][13:39:26.061][13:39:26][18325][139727107307264][SmAuthSaml.cpp:2027][SmAuthenticate][][][][][][][][][][][][][][][][][][][][][SAML Auth Scheme returning auth state: 2, auth reason: 0.]
[10/08/2025][13:39:26.062][13:39:26][18325][139727107307264][SmAuthUser.cpp:782][ServerTrace][][][][][][][][][][][][][][][][][][][][Starting.][SmLimitAuthLogin: Starting.]
[10/08/2025][13:39:26.071][13:39:26][18325][139727107307264][SmAuthUser.cpp:782][ServerTrace][][][][][][][][][][][][][][][][][][][][About to flush the cache for uid=<user>,ou=users,dc=example,dc=com][SmLimitAuthLogin: About to flush the cache for uid=<user>,ou=users,dc=example,dc=com]
[10/08/2025][13:39:26.080][13:39:26][18325][139727107307264][SmAuthorization.cpp:2325][CSmAz::IsOkGlobal][][][][][][<realm>][<SAML>][][][][][][][][][][][][][][Evaluating OnAuthAccept global policies in the realm.]
[10/08/2025][13:39:26.080][13:39:26][18325][139727107307264][SmAuthorization.cpp:1854][CSmAz::IsOk][][][][][][][][][][][][][][No applicable Policy found. ][][][][][][][IsOk? No.]
[10/08/2025][13:39:26.160][13:39:26][18325][139727107307264][Sm_Auth_Message.cpp:4903][CSm_Auth_Message::SendReply][s7554/r1135][<agent>][][][][<realm>][<SAML>][<authentication_scheme>][][][][][][][][][][][][][** Status: Authenticated. ]

Resolution

Define an OnAuthAccept rule, an OnAcceptRedirect response, and a policy.

The rule must have the action set to Authentication Events with OnAuthAccept selected.

The Response should be a Webagent-OnAccept-Redirect response with an Attribute Kind of Active Attribute.

Additional Information

Find the documentation within the package of Smlimitauth binaries.

Powered by Wolken Software