Authorization Fails Under Auth-Validate Mapping
search cancel

Authorization Fails Under Auth-Validate Mapping

book

Article ID: 51488

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

Description:

Authorization Fails Under Auth-Validate Mapping where their UIDs are the same, but the DNs are not .

Solution:

Authorization Fails Under Auth-Validate Mapping

Description
Users present in user stores with accounts in multiple directories and their UIDs are the same, but the DNs are not. The objective is to enable SSO between the domains using Dir Mapping.

In this example we have AuthValidate Dir Mapping to allow :
Domain1/Identical DN = Domain3/Identical DN
Domain1/Universal ID = Domain2/Universal ID

Example:
Domain1
-- AD1 (Universal ID=CN)
--cn=user1
--dn=cn=user1,o=company
Domain2
-- AD2 (Universal ID=CN)
--cn=user1
--dn=cn=user1,dc=company
Domain3
--AD3 (Universal ID=CN)
--cn=user1
--dn=cn=user1,company

Users can get an SM Session from Domain1 and have SSO to Domain3. Users login to Domain1 and try Domain2 and get authentication but the Authorization fails.
Example:
[testRealm][][][5][0][Basic][a039227][][/test/][][][][app1.company.com][Authenticating user.]
[testRealm][][][][][Basic][a039227][][][GOT_App1Auth][][][app1.company.com][** Status: Authenticated. ][][]
[testRealm][][][][][][a039227][][][][][][app1.company.com][** Status: Authorized. ]
*NOW WE TRY DOMAIN 2*
][new][][][][][Basic][][][/test/][][][][app1.company.com][Validate session
and session type for the user.][2][]
[1609][new][][][][][Basic][a039227][][/test/][GOT_App1Auth][][][app1.company.com][Evaluating 'OnAuthAccept' policy...][][]
[new][][][][][Basic][a039227][][][GOT_App1Auth][][][app1.company.com][** Status: Validated. ][][]
[1618][][][][][][][a039227][][][GOT_App1Auth][][][][Validate session and session type for the user.][2][]
[1618][new][][][][][][a039227][][][][][][app1.company.com][Authorizing user...][][]
[1618][new][][][][][][a039227][][][][][][app1.company.com][** Status: Not Authorized. ][][]

Solution

  1. Use Directory mapping instead of Auth-validate Directory Mapping if you have a single SiteMinder installation.
  2. Check that the respective realms have Authorization directory set in their advanced settings as by default a realm uses the same directory for authentication and authorization.

Environment

Release:
Component: SMPLC
Powered by Wolken Software