Disabled User doesn't get Authorized as it was in Policy Server 6
search cancel

Disabled User doesn't get Authorized as it was in Policy Server 6

book

Article ID: 8758

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

 

When running Policy Server, and for a specific URL, the Policy Server never authorizes the User as it should. Before, the former Policy Server version 6 was authorizing this access, and there wasn't any configuration change on this.

 

Environment

 

Policy Server 12.52SP1 on RedHat 6 64bit; (Policy Server was upgraded from 6.0SP5CR05)
AdminUI 12.52SP1 on RedHat 6 64bit;
Web Agent 5QMR7CR00 on Windows 2003SP2

 

Cause

 

The authorization fails because of the User not being found in the authorization mapping: The User is disabled.

The User is not authorized when requesting a GET on the protected resource.  

The Policy Server 12.52SP1 does not find it in one of the LDAP servers defined for that resource:

  ldap1:389
  ldap2:389
  ldap3:389

The former Policy Server 6.0SP5CR05 had a bug that was corrected in 6.0SP5CR25, to fix a known issue for a condition that was allowing access even if the User was disabled.

Now, the behavior has changed since Policy Server 6.0SP5CR35, and the user needs to be enabled in the Authorization User Store too. 

From smps-6_0_5_35-readme.txt :


   80437 The policy server directory mapping feature will no longer
         authorize a user when the authorization user directory has disabled
         the user but the authentication user directory has not disabled them.


 

Resolution

 

  • Enable the User from the User Store, so the Authorization call works with the Authorization Mapping.