Identity Manager fails when using AUTH and AZ mapping with SSO integration.

Document ID : KB000004689
Last Modified Date : 14/02/2018
Show Technical Document Details

When using AUTH and AZ mapping with SSO integration, the user gets a "File Not Found" in the browser and the following error in the application server log:

Header userDN and session spec users do not match


Identity Manager when integrated with Single Sign-On using authentication/authorization mapping.

When integrated with Single Sign On, ValidateHeadersWithPS is on by default. The SiteMinder header will always send the full DN value for the user in question. However, when using auth/az mapping, Identity Manager will have only the user id, and not the full DN value, so this validation will always fail.


Turn off ValidateHeadersWithPS.

  1. Stop the application server.
  2. Disable the ValidateHeadersWithPS in the ra.xml file located in \iam_im.ear\policyserver.rar\META-INF by setting the Enabled config-property value to false.
    Note: For WebSphere, the ra.xml file is located in WebSphere_home/AppServer/profiles/ Profile_name/config/cells/Cell_name/applications/iam_im.ear/deployments/IdentityMinder/policyserver.rar/META-INF.
  3. Start the application server.
  4. (WebSphere only) Update the policy server object in the Administrative Console with same values as in the ra.xml file.