Identity Manager fails when using AUTH and AZ mapping with SSO integration.

Document ID : KB000004689
Last Modified Date : 14/02/2018
Show Technical Document Details
Issue:

When using AUTH and AZ mapping with SSO integration, the user gets a "File Not Found" in the browser and the following error in the application server log:

Header userDN and session spec users do not match

 

Environment:
Identity Manager when integrated with Single Sign-On using authentication/authorization mapping.
Cause:

When integrated with Single Sign On, ValidateHeadersWithPS is on by default. The SiteMinder header will always send the full DN value for the user in question. However, when using auth/az mapping, Identity Manager will have only the user id, and not the full DN value, so this validation will always fail.

Resolution:

Turn off ValidateHeadersWithPS.

  1. Stop the application server.
  2. Disable the ValidateHeadersWithPS in the ra.xml file located in \iam_im.ear\policyserver.rar\META-INF by setting the Enabled config-property value to false.
    Note: For WebSphere, the ra.xml file is located in WebSphere_home/AppServer/profiles/ Profile_name/config/cells/Cell_name/applications/iam_im.ear/deployments/IdentityMinder/policyserver.rar/META-INF.
  3. Start the application server.
  4. (WebSphere only) Update the policy server object in the Administrative Console with same values as in the ra.xml file.