Oracle SSO Integrated with Siteminder: SSO Login Fails with HTTP-401 Unauthorized (Doc ID 987877.1)

Last updated on MARCH 08, 2017

Applies to:

Oracle Application Server Single Sign-On - Version 10.1.4 to 10.1.4.3 [Release 10gR3]
Information in this document applies to any platform.
***Checked for relevance on 20-NOV-2015***

Symptoms

Oracle SSO has been integrated with Siteminder. A custom plugin named SSONeteAuth has been created to read an HTTP Header value set by Siteminder to create the SSO session. 

After successful Siteminder authentication when trying to login to an OSSO protected site the following error is received:

401 Unauthorized Your account has been disabled, Please contact the system administrator

The Siteminder userid does not map to the OID UID value, so Siteminder sets an HTTP Header BOATID to the UID value that exists in SSO, then the SSO custom SSONeteAuth authentication plugin reads the BOATID header to obtain the authenticated user identity.

However the ssoServer.log shows that the Siteminder userid SM_USER value is used by SSO for login instead of the BOATID value as configured in the SSO plugin. SSO login subsequently fails as the Siteminder userid cannot be found in OID and ssoServer.log shows the following error:

Tue Jan 05 16:10:07 GMT 2010 [ERROR] AJPRequestHandler-ApplicationServerThread-5 Could not get attributes for user, 603461444
oracle.ldap.util.NoSuchUserException: User does not exist - SIMPLE NAME = 603461444
at oracle.ldap.util.Subscriber.getUser_NICKNAME(Subscriber.java:1160)
at oracle.ldap.util.Subscriber.getUser(Subscriber.java:923)
at oracle.ldap.util.Subscriber.getUser(Subscriber.java:870)
at oracle.security.sso.server.ldap.OIDUserRepository.getUserProperties(OIDUserRepository.java:537)
at oracle.security.sso.server.auth.AuthUtil.getUserMapping(AuthUtil.java:1473)
at oracle.security.sso.server.ui.SSOLoginServlet.processSSOPartnerRequest(SSOLoginServlet.java:1288)
at oracle.security.sso.server.ui.SSOLoginServlet.doPost(SSOLoginServlet.java:547)
at oracle.security.sso.server.ui.SSOLoginServlet.doGet(SSOLoginServlet.java:390)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.evermind.server.http.ServletRequestDispatcher.invoke(ServletRequestDispatcher.java:826)
at com.evermind.server.http.ServletRequestDispatcher.forwardInternal(ServletRequestDispatcher.java:332)
at com.evermind.server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java:830)
at com.evermind.server.http.AJPRequestHandler.run(AJPRequestHandler.java:224)
at com.evermind.server.http.AJPRequestHandler.run(AJPRequestHandler.java:133)
at com.evermind.util.ReleasableResourcePooledExecutor$MyWorker.run(ReleasableResourcePooledExecutor.java:192)
at java.lang.Thread.run(Thread.java:534)
Tue Jan 05 15:10:07 GMT 2010 [ERROR] AJPRequestHandler-ApplicationServerThread-5 Authorization failed for user: 603461444


Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms