Description:

We are facing different behavior between Siteminder 6 SP4 and Siteminder r12 SP1 CR5 when using several Authentication and Authorization Directories.

In Siteminder 6 SP4 the user authenticates and accesses successfully to the protected application, even if the user is locked (userdisableflag=2) in the Authorization Directory.

In access log, we can see "AuthAccept?, then "AzAccept".

In Siteminder 12 SP1 CR5 the user fails to access any protected application.

In access log, we can see "AuthAccept", then an "AzReject".

Solution:

There has been a change made in 6.0 SP5 CR27 and r12 SP1 CR3.

Earlier Policy Server was not checking for user's disabled state when AZ Mapping was used but now it checks for user's disabled state in the AZ Directory.

That's why you are seeing a change in behavior from 6.0 SP4.

From the release notes of r12 SP1 CR3:

82501 The policy server directory mapping feature will no longer authorize a user when the authorization user directory has disabled the user but the authentication user directory has not disabled them.