Authorization Fails Under Auth-Validate Mapping

Document ID : KB000051488
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

Authorization Fails Under Auth-Validate Mapping where their UIDs are the same, but the DNs are not .

Solution:

Authorization Fails Under Auth-Validate Mapping

Description
Users present in user stores with accounts in multiple directories and their UIDs are the same, but the DNs are not. The objective is to enable SSO between the domains using Dir Mapping.

In this example we have AuthValidate Dir Mapping to allow :
Domain1/Identical DN = Domain3/Identical DN
Domain1/Universal ID = Domain2/Universal ID

Example:
Domain1
-- AD1 (Universal ID=CN)
--cn=user1
--dn=cn=user1,o=company
Domain2
-- AD2 (Universal ID=CN)
--cn=user1
--dn=cn=user1,dc=company
Domain3
--AD3 (Universal ID=CN)
--cn=user1
--dn=cn=user1,company

Users can get an SM Session from Domain1 and have SSO to Domain3. Users login to Domain1 and try Domain2 and get authentication but the Authorization fails.
Example:
[testRealm][][][5][0][Basic][a039227][][/test/][][][][app1.company.com][Authenticating user.]
[testRealm][][][][][Basic][a039227][][][GOT_App1Auth][][][app1.company.com][** Status: Authenticated. ][][]
[testRealm][][][][][][a039227][][][][][][app1.company.com][** Status: Authorized. ]
*NOW WE TRY DOMAIN 2*
][new][][][][][Basic][][][/test/][][][][app1.company.com][Validate session
and session type for the user.][2][]
[1609][new][][][][][Basic][a039227][][/test/][GOT_App1Auth][][][app1.company.com][Evaluating 'OnAuthAccept' policy...][][]
[new][][][][][Basic][a039227][][][GOT_App1Auth][][][app1.company.com][** Status: Validated. ][][]
[1618][][][][][][][a039227][][][GOT_App1Auth][][][][Validate session and session type for the user.][2][]
[1618][new][][][][][][a039227][][][][][][app1.company.com][Authorizing user...][][]
[1618][new][][][][][][a039227][][][][][][app1.company.com][** Status: Not Authorized. ][][]

Solution

  1. Use Directory mapping instead of Auth-validate Directory Mapping if you have a single SiteMinder installation.
  2. Check that the respective realms have Authorization directory set in their advanced settings as by default a realm uses the same directory for authentication and authorization.