We have setup CA SSO which is taking credentials from the login page which in turn passes the request to webagent and policy server. But what we analyse is user getting credential not matched error although the those are correct. We have tried debugging the code by printing password for user which is also fine when it passes from application to siteminder.
Anyone has came across such issue kindly update as our system is down from last 3 days. Any help will be greatly appreciated!
I understand that you have custom code that collects username andpassword, and then, it POST them to the Web Agent HTML form right ?
Could you paste the failing request from the Policy Server ?
At first glance, here's a sample to do it (involving secureURLsenable, which might not be your exact use case) :
How to use custom fcc page and post details to login.fcc https://communities.ca.com/message/241817806
Tech Tip - CA Single Sign-On: Custom login page to POST to login.fcc with SecureURLs enabled https://communities.ca.com/community/ca-security/ca-single-sign-on/blog/2015/08/20/tech-tip-ca-single-sign-on-custom-login-page-to-post-to-loginfcc-with-secureurls-enabled
As your problem probably needs deeper logs and traces analysis, weinvite you to open a support case to have this investigated.
Hello, I agree with Patrick. Opening a case with CA Support might be the right thing to do here to help resolve quickly. Please make sure you provide in the case, -- PS and agent log and trace, as well as Fiddler http trace for the failing use case. All in the same time frame of the use case, and specifying time of execution, user ID used and URL accessed.
Thank you. - Vijay, CA Spt
What is your user store ? Have you configured multiple user stores as authenticaiton directory ?
The user will be authenticated against the first directory the user is found.
The first thing I will do is look at the policy server trace logs (enable all components and data) and check why the user is not authenticated. Usually it would give the error that it gets from the backend.
For e.g if it's LDAP and the password is invalid, the ldap should return LDAP error code 49 with data 52e.
LDAP Error Code 49 - Atlassian Documentation
Thanks you guys for the suggestion. We had done all the things you have mentioned above.
Problem was with the authentication scheme we used where we have acc status and password colletec from our html page and forwarded to newly created login.fcc (it was created by our team here) file. But we have added extra slash while setting the scheme in ADMINUI. This extra slash causing issue while decrypting password from user. It got resolved as soon as we removed that extra forward slash.