Symantec Access Management

Tech Tip : CA Single Sign-On : Application Your Not a Authorised User

  • 1.  Tech Tip : CA Single Sign-On : Application Your Not a Authorised User

    Posted 10-10-2018 07:15 AM

    Issue:


    We're running a CA Access Gateway (SPS), and when a user successfully login in
    the SPS, then the backend server application return error message :

    Your Not a Authorised User, Please Contact System Admin

    User log in by Windows Authentication Scheme. The SM_USER header has
    the value with the domain with it as :

     

    DOMAIN\myuser

     

    We have configured a response to produce the header HTTP_SM_USER for
    which the user hasn't the DOMAIN prefixed

    But we cannot modify the application code to look at HTTP_SM_USER
    variable that has the user id without the preceeding Domain name. The
    application can only read the default header SM_USER.

    How can we get the SM_USER value without the DOMAIN\ as prefix ?

     

    Environment:

     

    Policy server 12.7SP0CR00 on windows 2012;
    Access Gateway Server 12.7SP0CR00 on Windows 2012;

     

    Resolution:

     

    You can :

     

    1 - Use a CA Access Gateway (SPS) post filter.

    You might work around this out of the box behavior by setting a filter
    on the CA Access Gateway (SPS) to modify the Header name and its value :

    ProxyResponse Interface

    setHeader(java.lang.String name, java.lang.String value)

    Sets a header with the specified name and value. If a header with
    the same name exists it will be overwritten.

    Parameters:
    name - a String specifying the header name
    value - a String specifying the header value

    https://docops.ca.com/ca-single-sign-on/12-7/en/programming/ca-access-gateway-apis#CAAccessGatewayAPIs-ImplementaFilter

     

    2 - Use the GD SmOverrideAuth module to modify the value of the
    SM_USER value.

    The out of the box SM_USER value may be also overriden by using the GD
    module "SmOverrideAuth" as described here :

    Remove <domain>\ from user name when using IWA

    There is another option. If you really need the value stored in the
    SiteMinder SMSESSION cookie modifed to be just the loginID, without
    the domain prefix, there is a CA Services, Global Deployment
    Pre-built PWP (aka module) called SmOverrideAuth that will meet this
    requirement. It actually allows you to set SM_USER to the value of
    any attribute in the user's record, although normally the loginID is
    used. Note however that this is a separately priced item, it is not
    part of core SiteMinder. You can contact Sid Mautte
    (Sid.MautteIII@ca.com) if you would like to find out more about this
    module, or you can contact your CA Sales Representative and ask them
    to open a Service Request for SmOverrideAuth.

    https://communities.ca.com/thread/241754143

     

    CA Global Delivery Packaged Work Product Download Index

     

    Override Authentication Login for CA Single Sign-On

     

    https://support.ca.com/us/product-content/recommended-reading/technical-document-index/ca-global-delivery-packaged-work-product-module-index.html?id=%7B3B2E2905-11AF-4479-B309-63F113CA5D57%7D?id=%7B3B2E2905-11AF-4479-B309-63F113CA5D57%7D

     

    KB : KB000117269