Symantec Access Management

We had integrated siteminder with ITIM5.0 and it was working fine but once we migrated to ITIM 6.0 SSO has stopped working , On entering credentials on SSO page it is throwing application login page.

From what I know, the only change for ITIM SSO required is to set enrole.ui.ssoEnabled=true in ui.properties

And this property is set properly in my ISIM 6.0 environment.

Is there any other configuration change required?

Thanks

Hi,

So what do you see in the webagenttrace.log when it sends the user back to the login page?

I would suggest to capture the fiddler trace (http header trace) and the corresponding web agent trace logs and look out for the reason it is giving for not authenticating the user and sending the user back to the login page.

Regards,

Ujwol

Hi,

I can see in httptrace that smsession is getting generated , we are using cookie provider to convert the session from one domain to other domain and I can see that session is getting generated to other domain as well from the trace.

But after the cookie provider URL it should be 200 status code to target URl but seeing 302 redirection to target URL which in turn doing 302 redirection to Application login page. If SSO was not working than we should have got SSO login page but we are getting application login page.

So wanted to know if there is any other setting we have to enable to have seamless login?

In this case we are trying to integrate ITIM(IBM Tivoli identity manager) with siteminder do we need TAI(Agent for IBM websphere) to have seamless login or we can achieve without TAI as well?

Thanks,

Kanishak

Hi Kanishak,

You mentioned this was working before (ITIM 5.0) and migrate to ITIM6.0 make it not working.

First of all, do you have any documentation that mentioned how to integrate between ITIM and SM? If there is, I suggest to revisit the document. What I suspect is something get overwritten while perform the ITIM upgrade.

Based on what you explain, it seems SMSESSION was fine but the backend seems unable to consume the cookie and that's why you get application login page. I'm not sure if ITIM hosted on Websphere server. If it is, you might need have TAI on Websphere so it can consume the cookie and pass the principal to Websphere. The question is who in ITIM responsible to consume the SMSESSION cookie?

However, as I mentioned earlier, it was working fine in ITIM 5.0. If ITIM 5.0 has no TAI on the backend server, then I doubt ITIM 6.0 need it.

Regards,

Kar Meng

Hi Kar,

It does not look to be  an oversight of the configuration , it looks like in ITIM login.jsp page is responsible for consuming the cookie. ITIM is hosted on websphere.

As per IBM to make this work we need TAI but I was checking if there is any configuration by which we can have this work rather than having agent running on application server.

Thanks

Hi Kanishak,

Thanks for your update. The Websphere need to have an agent to interpret the SMSESSION cookie. That's where TAI comes in. Without agent on Websphere, nobody will understand what is SMSESSION cookie. As such, the Websphere will throw the application login page.

How does it works in ITIM 5.0? You mentioned it was working in ITIM 5.0, do you have TAI on Websphere at that time?

Regards,

Kar Meng

ITIM5.0 was not having TAI and looks like IBM has changed the way product works.

I saw couple of threads posted where SSO broke after upgrading the product so was checking if anybody is aware that how to fix it?

Hi Kanishak,

If ITIM5.0 was working fine without TAI, then the question is who consume the SMSESSION and pass the information to Websphere? I believe IBM provide documentation on how to integrate CA SSO with ITIM.

If that's the case, maybe can check with IBM if there is any new integration document for ITIM 6.0? Just a thought...

Regards,

Kar Meng

Hi,

IBM says to go with TAI so I wanted to check if anybody has experienced the same and if we can resolve this without TAI with some customization.

Thanks