Stephen_McQuiggan

How to troubleshooting SSO problem between two separate environments

Discussion created by Stephen_McQuiggan Employee on Oct 15, 2013
Latest reply on Oct 16, 2013 by another_martink

Problem: Failed SSO between to separate environments

How to troubleshooting SSO problem between two separate environments (disparate policy stores and keystores).

WebAgent and Policy Servers logs is the best place to start – they will provide the exact reason for a failed SSO


Required for SSO:
1.
SESSION keys (agent) – must be the same (best approach shared keystore)
2.
SESSION Ticket – must be the same (best approach shared keystore)
3.
User Directory Requirements:
a.
Name of the UserDir Object in Admin UI must be defined with the same name in both policy stores; also the authenticated user DN must also be the same
\
OR
b.
AuthValidation functionality can be used if (a) is not possible
4.
SiteMinder manages session via SMSESSION cookie/domain, applications that manage session using cookie in one domain that also needs to provide SSO to different domain will need to implement SiteMinder feature Cookieprovder (feature that allows cross domain SSO - see documentation)
.

Common errors to look for:

Failed to decrypted (SESSION keys is different)


ERROR WebAgent Trace:
[DecodeCookie][WARNING: Failed to decrypt SMSESSION= cookie.]


Invalid key in use (SESSION Ticket is not the same or “custom agent” created SMSESSION cookie and the agent parameter AcceptTPCookie not set),

Error Policy Server trace Az [** Status: Not Authorized. Invalid key in use]


User “A” is not Authorized in second envirnoment - User directory name problem

Error Policy Server:
[00:15:48][** Status: Not Validated. Failed to resolve user directory 'Us
erStore_Authentication', '0e-3dffab22-c0db-0028-0000-165100001651']


If this is a cookie provider issue client will be prompted as a new user session

Outcomes