Symantec Access Management

  • 1.  How to troubleshooting SSO problem between two separate environments

    Broadcom Employee
    Posted Oct 15, 2013 09:51 AM

    Problem: Failed SSO between to separate environments

    How to troubleshooting SSO problem between two separate environments (disparate policy stores and keystores).

    WebAgent and Policy Servers logs is the best place to start – they will provide the exact reason for a failed SSO


    Required for SSO:
    1.
    SESSION keys (agent) – must be the same (best approach shared keystore)
    2.
    SESSION Ticket – must be the same (best approach shared keystore)
    3.
    User Directory Requirements:
    a.
    Name of the UserDir Object in Admin UI must be defined with the same name in both policy stores; also the authenticated user DN must also be the same
    \
    OR
    b.
    AuthValidation functionality can be used if (a) is not possible
    4.
    SiteMinder manages session via SMSESSION cookie/domain, applications that manage session using cookie in one domain that also needs to provide SSO to different domain will need to implement SiteMinder feature Cookieprovder (feature that allows cross domain SSO - see documentation)
    .

    Common errors to look for:

    Failed to decrypted (SESSION keys is different)


    ERROR WebAgent Trace:
    [DecodeCookie][WARNING: Failed to decrypt SMSESSION= cookie.]


    Invalid key in use (SESSION Ticket is not the same or “custom agent” created SMSESSION cookie and the agent parameter AcceptTPCookie not set),

    Error Policy Server trace Az [** Status: Not Authorized. Invalid key in use]


    User “A” is not Authorized in second envirnoment - User directory name problem

    Error Policy Server:
    [00:15:48][** Status: Not Validated. Failed to resolve user directory 'Us
    erStore_Authentication', '0e-3dffab22-c0db-0028-0000-165100001651']


    If this is a cookie provider issue client will be prompted as a new user session



  • 2.  RE: How to troubleshooting SSO problem between two separate environments

     
    Posted Oct 15, 2013 02:31 PM
    Thanks for sharing this tip with the community Stephen!


    stephen_mcquiggan wrote:

    Problem: Failed SSO between to separate environments

    How to troubleshooting SSO problem between two separate environments (disparate policy stores and keystores).

    WebAgent and Policy Servers logs is the best place to start – they will provide the exact reason for a failed SSO


    Required for SSO:
    1.
    SESSION keys (agent) – must be the same (best approach shared keystore)
    2.
    SESSION Ticket – must be the same (best approach shared keystore)
    3.
    User Directory Requirements:
    a.
    Name of the UserDir Object in Admin UI must be defined with the same name in both policy stores; also the authenticated user DN must also be the same
    \
    OR
    b.
    AuthValidation functionality can be used if (a) is not possible
    4.
    SiteMinder manages session via SMSESSION cookie/domain, applications that manage session using cookie in one domain that also needs to provide SSO to different domain will need to implement SiteMinder feature Cookieprovder (feature that allows cross domain SSO - see documentation)
    .

    Common errors to look for:

    Failed to decrypted (SESSION keys is different)


    ERROR WebAgent Trace:
    [DecodeCookie][WARNING: Failed to decrypt SMSESSION= cookie.]


    Invalid key in use (SESSION Ticket is not the same or “custom agent” created SMSESSION cookie and the agent parameter AcceptTPCookie not set),

    Error Policy Server trace Az [** Status: Not Authorized. Invalid key in use]


    User “A” is not Authorized in second envirnoment - User directory name problem

    Error Policy Server:
    [00:15:48][** Status: Not Validated. Failed to resolve user directory 'Us
    erStore_Authentication', '0e-3dffab22-c0db-0028-0000-165100001651']


    If this is a cookie provider issue client will be prompted as a new user session


  • 3.  RE: How to troubleshooting SSO problem between two separate environments

    Posted Oct 16, 2013 05:37 PM
    Just wondering again...

    Would any of this apply to Clarity if you had two instances and both were SSO with Siteminder?

    Martti K.