After logging in, the user doesn't register email credentials in VIP Access Manager
search cancel

After logging in, the user doesn't register email credentials in VIP Access Manager

book

Article ID: 422913

calendar_today

Updated On:

Products

SITEMINDER VIP Service CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign-On

Issue/Introduction

Running CA Access Gateway (SPS), when the request goes to VIP, the users can't register their users' email automatically.

The users are prompted to register their credentials at first login.

Cause

Looking at the decoded id_token_hint value the CA Access Gateway (SPS) sends to the VIP Manager, the email claim has no value (1):

FWSTrace.log

[12/18/2025][10:45:56][3616][3044][][StateRedirectServlet.java][processRequest][Processing complete redirecting to the azRequestUrl: https://oidc.vip.example.com/<arrow>/oauth2/v1/authorize?client_id=<clientid>&scope=openid&response_type=code&redirect_uri=https://host.example.net/affwebservices/public/bctokencontroller&acr_values=<value>&ui_locales=<locale>&code_challenge=<value>&code_challenge_method=<method>&X-CLIENT-TRANSACTION-ID=<xtransaction>&id_token_hint=<value>&state=SMSTATEGUID-<value>]

|          |                                                                                  |
|----------+----------------------------------------------------------------------------------|
| iat      | 1766054756 (Thu Dec 18 2025 11:45:56 GMT+0100 (hora estándar de Europa central)) |
| email    |                                                                                  |
| idp_type | siteminder                                                                       |

The Policy Server traces report that it cannot set the email claim:

smtracedefault.log

[12/18/2025][12:45:56.113][12:45:56][8932][1640][SmAuthUser.cpp:2415][GetPropIndex][][][][][][][][][][][][][][][][][][][][][Processing Attribute [Property = email] [Trim Property = email] [Separator = ^]][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[12/18/2025][12:45:56.113][12:45:56][8932][1640][SmAuthExtAttrResponse.cpp:431][getClaims][][][][][][][][][][][][][][][][][][][][][ customClaim 'email' :  '<name>@example.com' ][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[12/18/2025][12:45:56.113][12:45:56][8932][1640][SmAuthExtAttrResponse.cpp:425][getClaims][][][][][][][][][][][][][][][][][][][][][ claim lookup failed][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

Resolution

In the User Directory configuration, configuring the Email(R) field with the correct value fixes the issue.

Additional Information

  1. JWT Decoder

Powered by Wolken Software