Symantec Access Management

 View Only

401 Unauthorized Access Page for Identity Portal Protected Through SiteMinder

  • 1.  401 Unauthorized Access Page for Identity Portal Protected Through SiteMinder

    Posted Dec 10, 2019 05:00 PM
    Hello everyone,

    Have a current issue at the moment regarding CA Single Sign On (SiteMinder) and CA Identity Portal integration.
    Both solutions are deployed in Linux environment. Web Agent version SP12.52 CR10 and Identity Portal (believe the latest version) on the vApp.

    The Web Agent is fully deployed, configured, and registered to the Policy Server. We have set up the ProxyPass and ProxyPassReverse rules for AJP forwarding to Identity Manager and Identity Portal at the end of the httpd.conf file located in the /etc/httpd/conf directory.

    The format looks like this (minus the real hostnames):
    ProxyPass "/iam" "ajp://FQDNOFIDM:8009/iam"
    ProxyPassReverse "/iam" "ajp://FQDNOFIDM:8009/iam"

    ProxyPass "/sigma" "ajp://FQDNOFPROTAL:8010/sigma"
    ProxyPassReverse "/sigma"  "ajp://FQDNOFPORTAL:8010/sigma"

    Then we would restart Apache services to apply these changes. When we open the browser and up the URL of the Web Agent, for example: http://singlesignonwebagent.ca.com/iam/im/identityEnv - We get prompted a HTML form login (which is defined on the Realm) for authentication. We put in the credentials, and have no issues getting authorized and logging into Identity Manager.

    However... when we try to go to, for example: http://singlesignonwebagent.ca.com/sigma/app - We get prompted the same HTML Form, we put in the EXACT same username and password for authentication to Identity Portal, but after submitting credentials/clicking Login -- the result is a blank, white page that says "Unauthorized Access". 

    Why this is the case?

    1) We checked the smaccess.log and saw that the user credentials submitted were AuthAccept and AzAccept which leads me to believe that AA went through no problem, since for instance we can log into Identity Manager with those same credentials no problem.
    2) Portal has Enable SSO checkbox - Enabled in the Portal Admin UI Setup configuration - which I believe is all needed for the IDP-SSO integration. And SiteMinder Admin UI has the following ACO parameters, Domain, Realms, Rules, and Policy that is needed to protect Portal completed (follows the exact 4 ACOs needed to be edited and 6 realms needed to be protected listed in the TechDocs/Docops)
    3) We also checked the logs from Portal and can see SiteMinder Headers being passed especially SM_USER and SMSESSION - But get this block of a message from Portal states "USER_NOT_AUTHENTICATED". When like I mentioned previously the same username and password is being used to log into Identity Manager and AA gets passed through no problem yet it does not work for Portal.
    Here is the message -- 
    Inbound Message
    2019-12-09 14:33:04,753 INFO [stdout] (default task-78) ----------------------------
    2019-12-09 14:33:04,753 INFO [stdout] (default task-78) ID: 59
    2019-12-09 14:33:04,753 INFO [stdout] (default task-78) Response-Code: 500
    2019-12-09 14:33:04,753 INFO [stdout] (default task-78) Encoding: ISO-8859-1
    2019-12-09 14:33:04,753 INFO [stdout] (default task-78) Content-Type: application/json
    2019-12-09 14:33:04,753 INFO [stdout] (default task-78) Headers: {connection=[close], Content-Length=[125], content-type=[application/json], Date=[Mon, 09 Dec 2019 22:33:04 GMT], Server=[vApp Web Server], Set-Cookie=[JSESSIONID=NrWkpWdlRrj1CLpy9UdCfz-t.iamnode1; path=/iam/im], X-Frame-Options=[SAMEORIGIN], X-Powered-By=[Undertow/1]}
    2019-12-09 14:33:04,753 INFO [stdout] (default task-78) Payload: {"errorCode":51,"errorLiteral":"USER_NOT_AUTHENTICATED","message":"Username and password do not match.","backendMessages":[]}
    2019-12-09 14:33:04,753 INFO [stdout] (default task-78) --------------------------------------

    - Can someone help with giving me reasons as to why this error is occurring? 
    - Is Portal throwing this 401 error message?
    - Or is it SiteMinder that's throwing the 401 error page?
    - Is the AJP Forwarding incorrect? Is the redirecting in the backend of Apache/AJP causing the issue? I don't believe if would if we can hit the URL/URI to Identity Manager and log in.
    - Missed configurations in Portal? Or missed configurations in installation of Portal?
    - Missed configurations in SiteMinder or the Web Agent? Or missed configurations in installation of the Web Agent?

    Any insight, resource, or help will be gratefully appreciated! Thanks everyone.