Symantec Access Management

 View Only

Tech Tip : CA Single Sign-On : On Federation Transactions, the Policy Server doesn't look in to the right User Store to find the User

  • 1.  Tech Tip : CA Single Sign-On : On Federation Transactions, the Policy Server doesn't look in to the right User Store to find the User

    Broadcom Employee
    Posted Sep 20, 2016 07:26 AM

    Issue :

     

      Randomly, in a Federation Transaction, the Policy Server selects the
      wrong User Store to authenticate the user, and as such, the user
      being not found, it isn't authorized.

     

      I've been observing this issue for a long time.

     

      2 UDs which are mixed up, are using the same servers just
      a different root is set;

     

    Environment :

     

     Policy Server 12.5CR02 on RedHat 5 64bit;

     

    Cause :

     

       This issue is caused by a flaw in the directory key mapping for
       defining the User Stores. This is fixed in Policy Server 12.52.
       Note that this issue is only be related to DNS names in that sense
       that the DirectoryMap is using the LDAP server name in 12.5.
       The Keys from this mapping are defined from the LDAP Directory
       namespace and server name. The fix modifies this. Policy Server
       uses User Directory Name (Name given in AdminUI) instead of the
       Server Name.

     

    Resolution :

     

       As Work Around set all ldap servers FQDN aliases in the /etc/hosts file on the Policy
       Server and AdminUI, and then configure with the AdminUI
       the ldap server listed in your User Store definition
       (with loadbalancing and failover) according to the aliases
       you've put in the /etc/hosts file;

     

       This will solve the issue.

     

    KD : TEC1275204