Issue : "AzReject" when SM Session is is already there with lower level
User Logging to federation partnership which has Auth Level 5 and in the same browser when user try to access another federation partnership which has higher Auth Level 10. User keeps getting login page again and again. We are seeing the "AzReject" and "Session is not authorized for this security level" in Access log.
Another words, SMSESSION is already there, and SM is validated this session, before access can be authorized. however, this smsession was authenticated at a lower level, and the request was to a resource that is being protected with a higher auth level, hence the AzReject. Any solution for this?
I have SSO 12.7 with session store and we are using non-persistence session in realm.
This is the expected behavior of your use case and this is the intention of higher "Protection levels" in Authschemes.
SMSESSION is getting created after authentication and user needs to have right group/role membership along with right protection level in order to get authorized. If an user has SMSESSION, it does not mean that he/she should get access to all the protected resources.
When users authenticate successfully against a scheme, they can access any resource with a protection level equal to or below the current authentication scheme, but not higher. Users still require authorization for a resource to gain access to it.
Is there any reason/requirement behind to keep different protection level's ?
If you don't wan't to challenge user while accessing your second app, you can just keep all the app authentication at same protection level.
Yes, I understand and agree behavior of SiteMinder challenging again for authentication if previously generated SMSESSION has lower Auth level.
My issue here is user re-authenticate himself against high level auth scheme but still login page reappears again and again. after entering 3 times correct credential he is able to override existing SMSESSION logs in successfully.
Refer to the below KB Article :
Status: Not Authorized. Session is not authorized - CA Knowledge
I found the Solution. I lower the Minimum Authentication level in federation partnership and kept High Auth level in realm which is protecting my federation redirection page. So now user only be prompted once when he access federation and after re-authenticating against high level auth scheme user logs in successfully.
Minimum Authentication level has precedence over Protection level define in Authentication scheme, so if you want step up Authentication in partnership application you will also need to bump up Minimum Authentication level in partnership to get it work, or else make Minimum Authentication level same for all partnership is achieve SSO.