Identity Manager fails when using AUTH and AZ mapping with SSO integration.

book

Article ID: 4689

calendar_today

Updated On:

Products

CA Identity Manager CA Identity Governance CA Identity Portal CA Risk Analytics CA Secure Cloud SaaS - Arcot A-OK (WebFort) CLOUDMINDER ADVANCED AUTHENTICATION CA Secure Cloud SaaS - Advanced Authentication CA Secure Cloud SaaS - Identity Management CA Secure Cloud SaaS - Single Sign On

Issue/Introduction

When using AUTH and AZ mapping with SSO integration, the user gets a "File Not Found" in the browser and the following error in the application server log:

Header userDN and session spec users do not match

 

Cause

When integrated with Single Sign On, ValidateHeadersWithPS is on by default. The SiteMinder header will always send the full DN value for the user in question. However, when using auth/az mapping, Identity Manager will have only the user id, and not the full DN value, so this validation will always fail.

Environment

Identity Manager when integrated with Single Sign-On using authentication/authorization mapping.

Resolution

Turn off ValidateHeadersWithPS.

  1. Stop the application server.
  2. Disable the ValidateHeadersWithPS in the ra.xml file located in \iam_im.ear\policyserver.rar\META-INF by setting the Enabled config-property value to false.
    Note: For WebSphere, the ra.xml file is located in WebSphere_home/AppServer/profiles/ Profile_name/config/cells/Cell_name/applications/iam_im.ear/deployments/IdentityMinder/policyserver.rar/META-INF.
  3. Start the application server.
  4. (WebSphere only) Update the policy server object in the Administrative Console with same values as in the ra.xml file.