Hi PSoni2,
SiteMinder returns reason codes for failed authentication
The basic control flow relating to the Disabled Flag attribute during user authentication is:
- user is challenged for credentials (assume user ID and password)
- Disabled Flag attribute for the user is fetched/calculated
- If any of the disabled bits covered by Sm_Api_Disabled_DisabledMask are already set, authentication fails with the reason code Sm_Api_Reason_UserDisabled (7).
- If the user's credentials are not correct authentication fails and an appropriate reason code is returned depending on password policies, etc. Note that if the maximum number of allowed failed login attempts is exceeded here, the Sm_Api_Disabled_MaxLoginFail disabled bit in the user's Disabled Flag would also be set.
- If the credentials are correct, other statuses checked:
- if the account inactivity limit was exceeded, the Sm_Api_Disabled_Inactivity disabled bit is set and
Sm_Api_Reason_AccountInactivity is returned.
- if the password change time limit was exceeded, the Sm_Api_Disabled_PWExpired disabled bit is set and
Sm_Api_Reason_PwExpired is returned.
- if the password age is in the must change window, the Sm_Api_Disabled_PWMustChange status bit is set and
depending on other settings (e.g. grace period) either Sm_Api_Reason_PwMustChange or
Sm_Api_Reason_ImmedPWChangeRequired is returned.
- If the credentatials are correct and none of the above returns were triggered, then if the Sm_Api_Disabled_PWMustChange status bit is set, Sm_Api_Reason_ImmedPWChangeRequired is returned.
Note that certain system errors during the above processing would cause Sm_Api_Reason_UnknownUser to be returned.
It should be apparent from the above sequence that the Sm_Api_Disabled_PWMustChange status bit might be set during an authentication attempt and a subsequent attempt could cause a disabled bit to then be set as well. Also, the Admin UI can be used to set/clear the Sm_Api_Disabled_PWMustChange status bit for a user independently of the state of any of the other bits.
When Directory Mapping is used then during user's authorization phase the Disabled Flag attribute for the user is refetched/recalculated. If any of the disabled bits covered by Sm_Api_Disabled_DisabledMask are set, authorization fails with the reason code Sm_Api_Reason_UserDisabled (7).
Appendix : SmAuthReason:
Sm_Api_Reason_None = 0 Sm_Api_Reason_PwMustChange = 1 Sm_Api_Reason_InvalidSession = 2 Sm_Api_Reason_RevokedSession = 3 Sm_Api_Reason_ExpiredSession = 4 Sm_Api_Reason_AuthLevelTooLow = 5 Sm_Api_Reason_UnknownUser = 6 Sm_Api_Reason_UserDisabled = 7 Sm_Api_Reason_InvalidSessionId = 8 Sm_Api_Reason_InvalidSessionIp = 9 Sm_Api_Reason_CertificateRevoked = 10 Sm_Api_Reason_CRLOutOfDate = 11 Sm_Api_Reason_CertRevokedKeyCompromised = 12 Sm_Api_Reason_CertRevokedAffiliationChange = 13 Sm_Api_Reason_CertOnHold = 14 Sm_Api_Reason_TokenCardChallenge = 15 Sm_Api_Reason_ImpersonatedUserNotInDir = 16 Sm_Api_Reason_Anonymous = 17 Sm_Api_Reason_PwWillExpire = 18 Sm_Api_Reason_PwExpired = 19 Sm_Api_Reason_ImmedPWChangeRequired = 20 Sm_Api_Reason_PWChangeFailed = 21 Sm_Api_Reason_BadPWChange = 22 Sm_Api_Reason_PWChangeAccepted = 23 Sm_Api_Reason_ExcessiveFailedLoginAttempts = 24 Sm_Api_Reason_AccountInactivity = 25 Sm_Api_Reason_NoRedirectConfigured = 26 Sm_Api_Reason_ErrorMessageIsRedirect = 27 Sm_Api_Reason_Next_Tokencode = 28 Sm_Api_Reason_New_PIN_Select = 29 Sm_Api_Reason_New_PIN_Sys_Tokencode = 30 Sm_Api_Reason_New_User_PIN_Tokencode = 31 Sm_Api_Reason_New_PIN_Accepted = 32 Sm_Api_Reason_Guest = 33 Sm_Api_Reason_PWSelfChange = 34 Sm_Api_Reason_ServerException = 35 Sm_Api_Reason_UnknownScheme = 36 Sm_Api_Reason_UnsupportedScheme = 37 Sm_Api_Reason_Misconfigured = 38 Sm_Api_Reason_BufferOverflow = 39 Sm_Api_Reason_SetPersistentSessionFailed = 40 Sm_Api_Reason_UserLogout = 41 Sm_Api_Reason_IdleSession = 42 Sm_Api_Reason_PolicyServerEnforcedTimeout = 43 Sm_Api_Reason_PolicyServerEnforcedIdle = 44 Sm_Api_Reason_ImpersonationNotAllowed = 45 Sm_Api_Reason_ImpersonationNotAllowedUser = 46 Sm_Api_Reason_FederationNoLoginID = 47 Sm_Api_Reason_FederationUserNotInDir = 48 Sm_Api_Reason_FederationInvalidMessage = 49 Sm_Api_Reason_FederationUnacceptedMessage = 50 Sm_Api_Reason_ADnativeUserDisabled = 51
Thanks,
Shankar