A user has "must change password" status. The user logs onto a protected Identity Manager (IM) URL and is supposed to be redirected to IM PasswordServices page by SiteMinder (SM) to reset password. However, the user sees IM native login page instead with login error message.

SM trace log and webagent trace log have no error.

IM server log shows "The required Siteminder headers were not found. Logon denied".

If a user requests PasswordServices page directly via the application, the page is displayed fine.

If a user requests PasswordServices page directly via the proxy server (anonymously-protected by SM auth scheme), the user is presented with IM login page and a login error message on the page.

IM 14.x
Application server: Websphere
IM and SM / SSO are integrated.

When users access PasswordServices page via the proxy server (anonymously-protected by SM auth scheme), all SM default headers are passed onto IM application. However, IM application is not coded to recognize those headers for pages under public domain, therefore it presents the users with its native login page even though, from IM's perspective, the page is not protected.

The issue is caused by IM FrameworkAuthFilter still being enabled. 

The change must be made in the web.xml under this location: 

\IBM\WebSphere\AppServer\profiles\AppSrv01\config\cells\<cell_name>\applications\iam_im.ear\deployments\iam_im\user_console.war\WEB-INF 

If the change is done in web.xml under: 

\IBM\WebSphere\AppServer\profiles\AppSrv01\installedApps\<cell_name>\iam_im.ear\user_console.war\WEB-INF 

it won’t take effect.

Restart IM application after the change.