UIM - Siteminder SSO integration unable to import ldap users

Document ID : KB000100130
Last Modified Date : 05/06/2018
Show Technical Document Details
Issue:
Since we have migrated the LDAP server to a different server, the SSO Siteminder integration with UIM is not working. UMP doesn't log automatically when browsing to UMP.


Portal log:

30 May 2018 16:16:00,500 ERROR [PortalLDAPImporterImpl:714] Unable to import user CN=Todd Benn: null:null:{userprincipalname=userPrincipalName: Name@domain.com}
com.liferay.portal.UserScreenNameException
at com.liferay.portal.service.impl.UserLocalServiceImpl.validateScreenName(UserLocalServiceImpl.java:6117)
at com.liferay.portal.service.impl.UserLocalServiceImpl.validate(UserLocalServiceImpl.java:5884)
at com.liferay.portal.service.impl.UserLocalServiceImpl.addUserWithWorkflow(UserLocalServiceImpl.java:731)
at com.liferay.portal.service.impl.UserLocalServiceImpl.addUser(UserLocalServiceImpl.java:595)
at sun.reflect.GeneratedMethodAccessor952.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
Environment:
•  UIM 8.5.1
•  LDAP on Windows 2012R2 Standard
     AD database on tcp 389
    or LDS on tcp/50004
•  CA SiteMinder r12.51
.

 
Resolution:
Possible Causes and Resolution:

1) Check that LDAP integration is working regardless the integration with Siteminder.

Can you log in IM with an LDAP user?
Can yo log in UMP with an LDAP user?

If not, then the problem is with the LDAP and UMP Configuration and not with Siteminder.
Check KB: How to configure LDAP in CA UIM (Nimsoft) hub to integrate with AD authentication

Common issue: Login format wrong

•  If "emailAddress" format is needed for authenticating the LDAP user, UMP needs to be configured with email address login-format:
--> Verify if all steps on the below KB are checked and verified:
Infrastructure Manager & UMP - Notes on using LDAP/AD for Authentication (screenName OR email address)

Note: a common scenario is having, in the AD template, the "attr_usr_id = mail". Normally this means a email address is used by the HUB to retrieve the import the users from LDAP and use it for UIM authentication. However, the format could still be "email address" even if the "attr_usr_id" is not equals "mail". In fact even if "attr_usr_id" is equals to "userPrincipalName" the format used could still be email, if the "userPrincipalName" is set as an "email address" in the Active Directory. 

2) In the AD server configuration, check if the attribute set for attr_usr_id used is correctly configured and not misspelled.
Example: if attr_usr_id is "userPrincipalName", check in the AD configuration, if this attribute doesn't contain a space in the name or invalid character.


3)  Review in detail the "Modify the Portal Configuration to Enable SiteMinder" section in the integration guide:

Note: Even if the the login attribute is not "mail" the login attribute could still be in the format of email. In that case you will still need to use:
company.security.auth.type=emailAddress

4) Review the Siteminder configuration.

Possible issue: Attribute Name is wrong:

•  In Siteminder, check the "User Attribute" Attribute Name is correctly set:
The "Attribute Name" should match the "attr_usr_id"; if this is pointing to an old configuration (Eg. "CN") the automated login will fail.

User-added image