Error: User is inactive in Multi Factor Authentication Chain for changing password flow in VIP Authentication Hub and SiteMinder
search cancel

Error: User is inactive in Multi Factor Authentication Chain for changing password flow in VIP Authentication Hub and SiteMinder

book

Article ID: 415704

calendar_today

Updated On:

Products

Symantec Identity Security Platform - IDSP (formerly VIP Authentication Hub) SITEMINDER CA Single Sign-On

Issue/Introduction

First logon password change flow is not working in the MFA chain when SiteMinder and VIP Authentication Hub are integrated.

The primary authentication is SiteMinder, and the 2nd authentication is VIP Authentication Hub Email OTP.

In Siteminder, the "initials" attribute for user status is in use.

Set the "initials" attribute value to 16777216 and tried to log in.

Getting this error after the first factor SiteMinder authentication in the browser:

/affwebservices/public/bctokencontroller?error=INVALID_REQUEST&error_description=User%20is%20inactive&state=SMSTATEGUID-<value>&error_code=0000060&X-TRANSACTION-ID=<value>

The Policy Server reports the error:

smps.log

[3005503/140467945584384][Sat Oct 18 2025 12:23:18.219][SmAuthUser.cpp:5220][ERROR][sm-LoginLogout-01910] ChangePassword - Password Policies not applicable for the specified Authentication Scheme

The same is working in the TEST environment. 

  • Test  : VIP Authentication Hub 3.3.0 ZFP=ON,  SiteMinder Policy Server and CA Access Gateway (SPS) 12.9;
  • Prod : VIP Authentication Hub 3.4.5 ZFP=OFF, SiteMinder Policy Server and CA Access Gateway (SPS) 12.9;

Cause

No mapping of a claim is defined, or no value is given for idp_id, and as such the application will venerate the idp_name claim for the User matching context:

"idp_name": "<idp>",
"idp_id": "",

Resolution

Manually enter users' contact for all users from <idp> like this:

Users

  Set which users are allowed access or restricted.

  | IDENTITY SOURCE                          | USER NAME OR EXPRESSION |
  |------------------------------------------+-------------------------|
  | <idp> (TARS User store Prod environment) | All Users               |

Alternatively, in SiteMinder AdminUI, add an attribute mapping to specify any value for an idp_id claim which would then populate the ID Token Hint (IDTH) claim with this value, and then SSP would use this value to identify the User instead of idp_name.

In the SiteMinder AdminUI:

User Directories  ›  Modify User Directory: user store  ›  Create Attribute Mapping

| General |
|---------|

| Name | idp_id |

| Properties |
|------------|

| Constant | x |

| Definition | <value> |
Powered by Wolken Software