How to configure the Single Sign On TAI so that the SiteMinder User can be located as a unique user within the WebSphere User Registry.

Document ID : KB000009755
Last Modified Date : 14/02/2018
Show Technical Document Details

The Single Sign On (fka SiteMinder) Application Server Agent for WebSphere TAI performs "perimeter authentication" for WebSphere. Via a trust association, WebSphere trusts that the TAI has validated the User's Credentials. Even though WebSphere does not need to validate the credentials of the User that the TAI is propagating, the user must still be discovered in the WebSphere User Registry to ensure the user is in fact a WebSphere user; WebSphere requires that an identity that is valid against the WebSphere user registry is available in the Subject to handle WebSphere Single Signon (SSO) and all J2EE programmatic security calls. To ensure the Single Sign On user is a WebSphere User, the TAI utilizes the WebSphere API's to get the UniqueUserID of the user from the WebSphere User Registry.

If WebSphere is configured with multiple User Directories in a "Federated Repository", the identity that the TAI is propagating must not exist in more than one of the federated user directories or the request will fail since the identity is not unique. Identities must be unique across all directories in a Federated WebSphere Repository.


In a typical CA Single Sign On TAI/WebSphere integration, you would configure WebSphere to use the SiteMinder User Directory as the WebSphere User Registry ensuring that the SiteMinder User propagated is found in the WebSphere User Registry. In some environments, this is not possible and the TAI and WebSphere are configured with separate User Directories which have different DIT structures. 

By default the TAI will search for the UniqueUserID within WebSphere's User Registry by the FullDN of the Authenticated Single Sign On user. If the 'getUniqueUserId(userId)' call fails to return a value, then either the Single Sign On user could not be found in the WebSphere User Registry or the UserID is not unique. The TAI cannot consider the user to be a unique WebSphere User, and the TAI will log the "SM TAI failed to get user registry attributes" message.

WebSphere Appliication ServerCA Application Server Agent for WebSphereCA SSO Environment

There are three methods that can be used to propagate and search for the SiteMinder User in the WebSphere User Registry based on the "AssertByUserID" setting.

By default the AssertByUserID ACO parameter for the TAI is false, and the TAI will use the SiteMinder UserDN to locate the WebSphere User in the WebSphere User Registry. If the user based on the SiteMinder UserDN will not be found in the WebSphere User Registry because the DIT structure is different, you can set AssetByUserID to "True".

With the AssertByUserID set to "True", SiteMinder will use the SMUser value to search for the user in the WebSphere User Registry. If the SMUser value won't match your User in WebSphere either, then the third option is the User Mapping feature in which you define an LDAP attribute from your SiteMinder User Directory to be used as the value to propagate and to search for the uniqueUserId from WebSphere.

Additional Information:

Please refer to the "CA SiteMinder® Agent for IBM WebSphere Agent Guide r12.0 SP2, Chapter 1: Introduction, Other Deployment Considerations, Identity and User Mapping" starting on page 21 of the PDF.

Please refer to the "CA SiteMinder® Agent for IBM WebSphere Agent Guide r12.0 SP2, Chapter 7: Configuring Policies for the SiteMinder Agent, Configure SiteMinder Policies to Support User Mapping (Optional)" starting on page 112 of the PDF.