Single Sign On Problems between V6 and R12

book

Article ID: 7642

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

Failed SSO between to separate environments (disparate policy stores).  Looking for what needs to be in place in order to achieve SSO when clients navigate between webserver in V6 and R12 

 

Cause

SSO fails when navigate between environments because the session ticket is not the same.  SMSESSION cookie was able to be decoded (Agent keys were the same), however when the agent sent the session spec to the policy server it was not able to read session spec, this is logged as “invalid key in use” in the smaccess log and trace log of the policy server.

 

Environment

Two environments where the policy server point to different policy stores. Store 1 Oracle LDAP and Store 1 CA Directory 12 SP18

Resolution

Session ticket is unreadable v6 and r12 (V6 will treat as NULL, R12 will fail to valid sessions

Option to move past this issue

Reset the session ticket in both environment to a known value (NOTE this will force all current logged in session to be rechallenged

 

This is done in the adminUI see example:

<Please see attached file for image>

src="/servlet/servlet.FileDownload?file=0150c000004AKO9AAO" alt="session-key.png" width="915" height="513">

Additional Information

Name of the UserDir Object in Admin UI must be defined with the same name in both policy stores; also the authenticated user DN must also be the same

OR

AuthValidation functionality can be used if (a) is not possible

Common errors to look for when SSO fails:

  • Failed to decrypted (SESSION keys is different)

ERROR WebAgent Trace:

[DecodeCookie][WARNING: Failed to decrypt SMSESSION= cookie.]

  • Invalid key in use

SESSION Ticket is not the same or “custom agent” created SMSESSION cookie which is resolved by setting ACP parameter AcceptTPCookie top yes

 

Error Policy Server trace Az [** Status: Not Authorized. Invalid key in use]

  • User directory name problem

User “A” is not Authorized in second environment - User directory name problem

Error Policy Server:

[00:15:48][** Status: Not Validated. Failed to resolve user directory 'Us

 

erStore_Authentication', '0e-3dffab22-c0db-0028-0000-165100001651']

Attachments

1558700001743000007642_sktwi1f5rjvs16ow1.png get_app