Symantec Access Management

Tech Tip : CA Single Sign-On : XPS Sweeper integrity report

  • 1.  Tech Tip : CA Single Sign-On : XPS Sweeper integrity report

    Posted 06-01-2018 06:45 AM

    Issue:

     

    We're reviewing the XPSSweeper report, we've been reviewing the
    objects appearing as duplicated with IDM, as all of them are used
    when integrating IDM with SSO. These objects seem to be properties of
    a User Directory (Container, paging, stickiness, etc), which are
    related to a UD. When IDM is integrated with SSO, creating a User
    Directory in IM creates a matching User Directory in SM Policy Server
    too.

     

    There are object that are duplicated :

     

    [1]
    Object ID: CA.SM::IMSAdditionalProperties@21-de3b50b1-83ad-46fc-82d2-7d1afb355cd7
    Object Name: DIRECTORY_SERVER_STICKINESS
    Object Path: IMSAdditionalPropertiesSet[32-377cc592-1ad6-4be4-8684-22bde8de8285] / IMSAdditionalProperties[DIRECTORY_SERVER_STICKINESS]
    Object Description:

     

    [2]
    Object ID: CA.SM::IMSAdditionalProperties@21-4f5b061e-68a5-40ce-b8b2-deed410d61d9
    Object Name: DIRECTORY_SERVER_STICKINESS
    Object Path: IMSAdditionalPropertiesSet[32-aa27a1b1-0f4c-4120-aa5d-df239eb8f212] / IMSAdditionalProperties[DIRECTORY_SERVER_STICKINESS]
    Object Description:

     

    How can we solve this ?
    .
    Resolution:

     

    You should then verify if these are all referring to the same User
    Directory object (as we should only have one of each then), or if
    these are old “orphan” directory objects in the Policy Store.

    You should verify if these objects pertain to an existing User
    Directory, and remove the duplicated objects accordingly. For this you
    can use the XPSExplorer tool, and check the current IDM User
    Directories to see if they are orphan or duplicated and can be
    deleted, which can be done from the XPSExplorer tool itself.

    This should be solved by renaming the affected objects but we should
    need to confirm with IDM team if this can be done, even if it is done
    only for the upgrade process and later corrected. So, for example,
    renaming the following:

     

    Object ID:

     

    CA.SM::IMSAdditionalProperties@21-de3b50b1-83ad-46fc-82d2-7d1afb355cd7
    Object Name: DIRECTORY_SERVER_STICKINESS to: Object ID:

     

    CA.SM::IMSAdditionalProperties@21-de3b50b1-83ad-46fc-82d2-7d1afb355cd7
    Object Name: DIRECTORY_SERVER_STICKINESS-InternalApp And the same with

     

    the other 8 duplicities found.

     

    This would solve the issue on CA Single Sing-On side, but as mentioned we need to
    confirm first if this could break any functionality on IDM, and if no,
    you can rename them and proceed.

     

    KB : KB000099528