Recently CA API Gateway is upgraded to version 9.3 and after that our API Gateway engineers are seeing the following errors on the Gateway.
WARNING 10102 CA Single Sign-On Authenticate Against CA Single Sign-On assertion: Unable to authenticate user using SSO Token:I2kO3+……………zlxoa40NiN9
It's not happening continuously but our API Gateway people are seeing significant amount of errors.
SiteMinder policy Server version: 12.52 SP1 CR06
Operating System: RHEL 6.9 x86 64
CA API Gateway version : 9.3
The custom SSO agent used by API Gateway checks the timoeuts in the session, If the timeout for IDLE is set to zero its fails to validate rejecting the SMESSION
Support reproduced and confirm workaround below,
If "Idle Timeout" or "Maximum Timeout" for the siteminder REALM is not enabled (or even if they set to 0), we see Au or Az failures. If they are not enabled at siteminder, these values are set to 0. So when gateway is checking for the IdleTimeout, it always fails which is leading to Au/Az failures even though the session is just created/valid.
The code fix will be included in 9.3 CR3 (bugid: DE343361)
9.2 CR8 : Released march 2018
9.3 CR2 : Scheduled for release end of May