Single Sign On Problems between V6 and R12

Document ID : KB000007642
Last Modified Date : 14/02/2018
Show Technical Document Details
Issue:

Failed SSO between to separate environments (disparate policy stores).  Looking for what needs to be in place in order to achieve SSO when clients navigate between webserver in V6 and R12 

 

Environment:
Two environments where the policy server point to different policy stores. Store 1 Oracle LDAP and Store 1 CA Directory 12 SP18
Cause:

SSO fails when navigate between environments because the session ticket is not the same.  SMSESSION cookie was able to be decoded (Agent keys were the same), however when the agent sent the session spec to the policy server it was not able to read session spec, this is logged as “invalid key in use” in the smaccess log and trace log of the policy server.

 

Resolution:

Session ticket is unreadable v6 and r12 (V6 will treat as NULL, R12 will fail to valid sessions

Option to move past this issue

Reset the session ticket in both environment to a known value (NOTE this will force all current logged in session to be rechallenged

 

This is done in the adminUI see example:

session-key.png

Additional Information:

Name of the UserDir Object in Admin UI must be defined with the same name in both policy stores; also the authenticated user DN must also be the same

OR

AuthValidation functionality can be used if (a) is not possible

Common errors to look for when SSO fails:

  • Failed to decrypted (SESSION keys is different)

ERROR WebAgent Trace:

[DecodeCookie][WARNING: Failed to decrypt SMSESSION= cookie.]

  • Invalid key in use

SESSION Ticket is not the same or “custom agent” created SMSESSION cookie which is resolved by setting ACP parameter AcceptTPCookie top yes

 

Error Policy Server trace Az [** Status: Not Authorized. Invalid key in use]

  • User directory name problem

User “A” is not Authorized in second environment - User directory name problem

Error Policy Server:

[00:15:48][** Status: Not Validated. Failed to resolve user directory 'Us

 

erStore_Authentication', '0e-3dffab22-c0db-0028-0000-165100001651']