Symantec Access Management

  • 1.  "AzReject" when SM Session is is already there with lower level

    Posted Aug 23, 2018 07:13 PM

    Issue : "AzReject" when SM Session is is already there with lower level

     

    Scenario :

    User Logging to federation partnership which has Auth Level 5 and in the same browser when user try to access another federation partnership which has higher  Auth Level 10. User keeps getting login page again and again. We are seeing the "AzReject" and "Session is not authorized for this security level" in Access log. 

     

    Another words, SMSESSION is already there, and SM is validated this session, before access can be authorized. however, this smsession was authenticated at a lower level, and the request was to a resource that is being protected with a higher auth level, hence the AzReject. Any solution for this?

     

    I have SSO 12.7 with session store and we are using non-persistence session in realm.



  • 2.  Re: "AzReject" when SM Session is is already there with lower level

    Broadcom Employee
    Posted Aug 24, 2018 01:09 PM

    Hi Vipul,

     

    This is the expected behavior of your use case and this is the intention of higher "Protection levels" in Authschemes. 

     

    SMSESSION is getting created after authentication and user needs to have right group/role membership along with right protection level in order to get authorized. If an user has SMSESSION, it does not mean that he/she should get access to all the protected resources.

     

    When users authenticate successfully against a scheme, they can access any resource with a protection level equal to or below the current authentication scheme, but not higher. Users still require authorization for a resource to gain access to it.

     

    Is there any reason/requirement behind to keep different protection level's ?

    If you don't wan't to challenge user while accessing your second app, you can just keep all the app authentication at same protection level.

     

    Thanks

    Ashok



  • 3.  Re: "AzReject" when SM Session is is already there with lower level

    Posted Aug 24, 2018 05:09 PM

    Yes, I understand and agree behavior of SiteMinder challenging again for authentication if previously generated SMSESSION has lower Auth level.

     

    My issue here is user re-authenticate himself against high level auth scheme but still login page reappears again and again. after entering 3 times correct credential he is able to override existing SMSESSION logs in successfully.



  • 4.  Re: "AzReject" when SM Session is is already there with lower level

    Posted Aug 24, 2018 01:28 PM

    Refer to the below KB Article :

     

    Status: Not Authorized. Session is not authorized - CA Knowledge 

     

    Regards.

    Ram,



  • 5.  Re: "AzReject" when SM Session is is already there with lower level
    Best Answer

    Posted Aug 25, 2018 02:19 PM

    I found the Solution. I lower the Minimum Authentication level in federation partnership and kept High Auth level in realm which is protecting my federation redirection page. So now user only be prompted once when he access federation and after re-authenticating against high level auth scheme user logs in successfully. 



  • 6.  Re: "AzReject" when SM Session is is already there with lower level

    Posted Aug 31, 2018 03:48 AM

    Hi Vipul,

     

    Minimum Authentication level has precedence over Protection level define in Authentication scheme, so if you want step up Authentication in partnership application you will also need to bump up Minimum Authentication level in partnership to get it work, or else make Minimum Authentication level same for all partnership is achieve SSO.

     

    Authentication level 

     

    Regards

    Prashant