Identity Manager fails when using AUTH and AZ mapping with SSO integration.
search cancel

Identity Manager fails when using AUTH and AZ mapping with SSO integration.


Article ID: 4689


Updated On:


CA Identity Manager CA Identity Governance CA Identity Portal CA Risk Analytics CA Secure Cloud SaaS - Arcot A-OK (WebFort) CLOUDMINDER ADVANCED AUTHENTICATION CA Secure Cloud SaaS - Advanced Authentication CA Secure Cloud SaaS - Identity Management CA Secure Cloud SaaS - Single Sign On


When using AUTH and AZ mapping with SSO integration, the user gets a "File Not Found" in the browser and the following error in the application server log:

Header userDN and session spec users do not match



Identity Manager when integrated with Single Sign-On using authentication/authorization mapping.


When integrated with Single Sign On, ValidateHeadersWithPS is on by default. The SiteMinder header will always send the full DN value for the user in question. However, when using auth/az mapping, Identity Manager will have only the user id, and not the full DN value, so this validation will always fail.


Turn off ValidateHeadersWithPS.

  1. Stop the application server.
  2. Disable the ValidateHeadersWithPS in the ra.xml file located in \iam_im.ear\policyserver.rar\META-INF by setting the Enabled config-property value to false.
    Note: For WebSphere, the ra.xml file is located in WebSphere_home/AppServer/profiles/ Profile_name/config/cells/Cell_name/applications/iam_im.ear/deployments/IdentityMinder/policyserver.rar/META-INF.
  3. Start the application server.
  4. (WebSphere only) Update the policy server object in the Administrative Console with same values as in the ra.xml file.