Identity Manager fails when using AUTH and AZ mapping with SSO integration.
Article ID: 4689
Updated On:
Products
CA Identity Manager
CA Identity Governance
CA Identity Portal
CA Risk Analytics
CA Secure Cloud SaaS - Arcot A-OK (WebFort)
CLOUDMINDER ADVANCED AUTHENTICATION
CA Secure Cloud SaaS - Advanced Authentication
CA Secure Cloud SaaS - Identity Management
CA Secure Cloud SaaS - Single Sign On
Issue/Introduction
When using AUTH and AZ mapping with SSO integration, the user gets a "File Not Found" in the browser and the following error in the application server log:
Header userDN and session spec users do not match
Environment
Identity Manager when integrated with Single Sign-On using authentication/authorization mapping.
Cause
When integrated with Single Sign On, ValidateHeadersWithPS is on by default. The SiteMinder header will always send the full DN value for the user in question. However, when using auth/az mapping, Identity Manager will have only the user id, and not the full DN value, so this validation will always fail.
Resolution
Turn off ValidateHeadersWithPS.
- Stop the application server.
- Disable the ValidateHeadersWithPS in the ra.xml file located in \iam_im.ear\policyserver.rar\META-INF by setting the Enabled config-property value to false.Note: For WebSphere, the ra.xml file is located in WebSphere_home/AppServer/profiles/ Profile_name/config/cells/Cell_name/applications/iam_im.ear/deployments/IdentityMinder/policyserver.rar/META-INF.
- Start the application server.
- (WebSphere only) Update the policy server object in the Administrative Console with same values as in the ra.xml file.
Feedback
Yes
No
Powered by
