Symantec Access Management

Tech Tip : CA Single Sign-On : Getting SMAUTHREASON 7 for SMDISABLE_FALG value 4 for inactive user status

  • 1.  Tech Tip : CA Single Sign-On : Getting SMAUTHREASON 7 for SMDISABLE_FALG value 4 for inactive user status

    Broadcom Employee
    Posted 10-03-2018 07:30 AM

    Issue:

     

    We're running a Policy Server, this one set SMAUTHREASON value to 7 when
    SMDISABLE_FLAG is set to 4. As per your understanding, Policy Server
    should instead return SMAUTHREASON value to 25 instead.

     

    We want to know why we get this.

     

    Resolution:

     

    Use the correct use case to get the smauthreason 25 and disable flag
    set to 4.

     

    Don't modify manually the disable flag value outside the use of
    AdminUI.

     

    Configure the password policies as :

     

    Password expires from inactivity.
    After days 1
    Disable user

     

    Then

     

    1. Using the AdminUI, enable the user "myuser@mymail.com";
    insure you have the right password;

     

    2. Insure that the User Store has an attribute for password data;

     

    3. Implement a password policy that will disable the user when the
    user exceed 1 day of inactivity;

     

    4. Log once successfully into the application with the user
    "myuser@mymail.com";

     

    5. Wait for more than 24 hours and simulate it by setting the
    Policy Server date to 2 days ahead;

     

    6. Log again with the expected password into the application with the
    user "myuser@mymail.com" and then the browser gets the
    message as the account is disabled for inactivity and the
    SMAUTHREASON in the browser url is set to 25. The user's disable
    flag is then set to 4.

     

    The "disable for inactivity" function of the
    Password Policy needs a first successful login.

     

    KB : KB000116826