Symantec Access Management

  • 1.  Not able to login with CA SSO

    Posted Apr 23, 2018 04:21 AM

    We have setup CA SSO which is taking credentials from the login page which in turn passes the request to webagent and policy server. But what we analyse is user getting credential not matched error although the those are correct. We have tried debugging the code by printing password for user which is also fine when it passes from application to siteminder. 

     

    Anyone has came across such issue kindly update as our system is down from last 3 days. Any help will be greatly appreciated!



  • 2.  Re: Not able to login with CA SSO

    Broadcom Employee
    Posted Apr 23, 2018 04:32 AM

    Hi,

     

    I understand that you have custom code that collects username and
    password, and then, it POST them to the Web Agent HTML form right ?

     

    Could you paste the failing request from the Policy Server ?

     

     

    At first glance, here's a sample to do it (involving secureURLs
    enable, which might not be your exact use case) :

     

     

    How to use custom fcc page and post details to login.fcc
    https://communities.ca.com/message/241817806

     

     

    Tech Tip - CA Single Sign-On: Custom login page to POST to login.fcc with SecureURLs enabled
    https://communities.ca.com/community/ca-security/ca-single-sign-on/blog/2015/08/20/tech-tip-ca-single-sign-on-custom-login-page-to-post-to-loginfcc-with-secureurls-enabled

     

     

    As your problem probably needs deeper logs and traces analysis, we
    invite you to open a support case to have this investigated.

     

     

    Best Regards,
    Patrick



  • 3.  Re: Not able to login with CA SSO

    Broadcom Employee
    Posted Apr 23, 2018 12:53 PM

    Hello, I agree with Patrick. Opening a case with CA Support might be the right thing to do here to help resolve quickly. Please make sure you provide in the case, -- PS and agent log and trace, as well as Fiddler http trace for the failing use case. All in the same time frame of the use case, and specifying time of execution, user ID used and URL accessed.

    Thank you. - Vijay, CA Spt



  • 4.  Re: Not able to login with CA SSO

    Posted Apr 23, 2018 07:23 PM

    What is your user store ? Have you configured multiple user stores as authenticaiton directory ?

    The user will be authenticated against the first directory the user is  found.

     

    The first thing I will do is look at the policy server trace logs (enable all components and data) and check why the user is not authenticated. Usually it would give the error that it gets from the backend. 

    For e.g if it's LDAP and the password is invalid, the ldap should return LDAP error code 49 with data 52e.

     

    LDAP Error Code 49 - Atlassian Documentation 



  • 5.  Re: Not able to login with CA SSO
    Best Answer

    Posted Apr 24, 2018 06:58 AM

    Thanks you guys for the suggestion. We had done all the things you have mentioned above.  

     

    Problem was with the authentication scheme we used where we have acc status and password colletec from our html page and forwarded to newly created login.fcc (it was created by our team here) file. But we have added extra slash while setting the scheme in ADMINUI. This extra slash causing issue while decrypting password from user. It got resolved as soon as we removed that extra forward slash.