Authorization stopped working when Directory mapping is in use and users are disabled in authorization directory.

book

Article ID: 52674

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

Description:

We are facing different behavior between Siteminder 6 SP4 and Siteminder r12 SP1 CR5 when using several Authentication and Authorization Directories.

In Siteminder 6 SP4 the user authenticates and accesses successfully to the protected application, even if the user is locked (userdisableflag=2) in the Authorization Directory.

In access log, we can see "AuthAccept?, then "AzAccept".

In Siteminder 12 SP1 CR5 the user fails to access any protected application.

In access log, we can see "AuthAccept", then an "AzReject".

Solution:

There has been a change made in 6.0 SP5 CR27 and r12 SP1 CR3.

Earlier Policy Server was not checking for user's disabled state when AZ Mapping was used but now it checks for user's disabled state in the AZ Directory.

That's why you are seeing a change in behavior from 6.0 SP4.

From the release notes of r12 SP1 CR3:

82501 The policy server directory mapping feature will no longer authorize a user when the authorization user directory has disabled the user but the authentication user directory has not disabled them.

Environment

Release:
Component: SMPLC