Customer is trying to use Identity Mapping for Federation and getting FAILED_AUTHEX error in the affwebserv.log
Step1. User1 logon from Userstore1(CA Directory) and access /application1/index.html --> Works
Step2. User1 access /application2/index.html which has directory mapping to Userstore2(AD) --> Works
Step3. User1 federate to partnership1(Userstore1 authorized) --> Works
Step4. User1 federate to partnership2(Userstore2 authorized) --> Fail
Why is the Identity Mapping not working for federation?
This is an expected behavior.
User1 login by Userstore1 so the user session would be based on Userstore1.
This User1 can federate at step 3 because federation is configured with same userstore and the user is authorized for federation.
When user tries to federate at step4, the authentication userstore and the federation userstore is different.
This means the user would be "NOT AUTHORIZED" thus 403 error with "FAILED_AUTHEX".
This Identity Mapping with federation has been a known limitation with the product for many years.
There is an enhancement request which is accepted by Product Management which is projected to be introduced in R14.
Link to Enhancement Request is as below.
You can also join CA Validation program to take a look at the proposed Identity Mapping feature at the following link.
After login, select Single Sign-On product and search for "Identity Mapping for SAML"
You will see a PDF document demonstrating the proposal.
### WORKAROUND ###
1. Customer can add the authentication userstore to the federation and write a custom assertion generator to fetch the user attributes from the other userstore.
2. Creative discussion with CA Services to find other options. Please reach out to CA Account Manager for further discussion.