CA Single Sign-On Errors
This topic provides troubleshooting assistance when using the gateway with CA Single Sign-On.
gateway83
This topic provides troubleshooting assistance when using the
CA API Gateway
with CA Single Sign-On.CA Single Sign-On Authentication and Authorization Errors
The following table lists the failure values that can be returned during CA Single Sign-On authentication or authorization. The failure reason value is stored in the ${<prefix>.smcontext.attributes.SESS_DEF_REASON} context variable.
The CA Single Sign-On Policy Server must be configured to support SM session failure reason codes, otherwise failure reason "0" will always be returned. Not all failures result in a specific code being returned. For example, errors such as incorrect user credentials will result in code "0" being returned.
Value | Reason | Value | Reason |
|---|---|---|---|
0 | None | 26 | NoRedirectConfigured |
1 | PwMustChange | 27 | ErrorMessageIsRedirect |
2 | InvalidSession | 28 | Next_Tokencode |
3 | RevokedSession | 29 | New_PIN_Select |
4 | ExpiredSession | 30 | New_PIN_Sys_Tokencode |
5 | AuthLevelTooLow | 31 | New_User_PIN_Tokencode |
6 | UnknownUser | 32 | New_PIN_Accepted |
7 | UserDisabled | 33 | Guest |
8 | InvalidSessionId | 34 | PWSelfChange |
9 | InvalidSessionIp | 35 | ServerException |
10 | CertificateRevoked | 36 | UnknownScheme |
11 | CRLOutOfDate | 37 | UnsupportedScheme |
12 | CertRevokedKeyCompromised | 38 | Misconfigured |
13 | CertRevokedAffiliationChange | 39 | BufferOverflow |
14 | CertOnHold | 40 | SetPersistentSessionFailed |
15 | TokenCardChallenge | 41 | UserLogout |
16 | ImpersonatedUserNotInDir | 42 | IdleSession |
17 | Anonymous | 43 | PolicyServerEnforcedTimeout |
18 | PwWillExpire | 44 | PolicyServerEnforcedIdle |
19 | PwExpired | 45 | ImpersonationNotAllowed |
20 | ImmedPWChangeRequired | 46 | ImpersonationNotAllowedUser |
21 | PWChangeFailed | 47 | FederationNoLoginID |
22 | BadPWChange | 48 | FederationUserNotInDir |
23 | PWChangeAccepted | 49 | FederationInvalidMessage |
24 | ExcessiveFailedLoginAttempts | 50 | FederationUnacceptedMessage |
25 | AccountInactivity |
CA Single Sign-On Assertions Errors
This section describes some of the error conditions you may encounter while using the CA Single Sign-On assertions.
Check Protected Resource Errors
When the Check Protected Resource Against CA Single Sign-On Assertion is configured to use a resource that is not protected by CA Single Sign-On, the assertion will fail and the following audit message is logged:
WARNING 10102 CA Single Sign-On Check Protected Resource Against CA Single Sign-On assertion: The resource <resource> is not protected!
Unsupported Actions
An unsupported or invalid action entered in the Check Protected Resource Against CA Single Sign-On Assertion will not trigger a failure of this assertion. Instead, the Authorize via CA Single Sign-On Assertion will be declared falsified, with the error message "SM Sessions null is not authorized!" (see Assertion Status Codes). The following audit message is also logged:
WARNING 10102 CA Single Sign-On Authorize via CA Single Sign-On assertion: SM Sessions null is not authorized!
Authentication Failure
When the Authenticate Against CA Single Sign-On Assertion fails, the following audit message is logged:
WARNING 10102 CA Single Sign-On Authenticate Against CA Single Sign-On assertion: CA Single Sign-On Authenticate Against CA Single Sign-On assertion: Unable to authenticate user using SSO Token:<token sent>
Authentication/Authorization Errors
When there is a CA Single Sign-On authentication or authorization failure, consult the following context variables to help you troubleshoot:
- ${<prefix>.smcontext.attributes.SESS_DEF_REASON} returns the reason code from the CA Single Sign-On Policy Server
- ${<prefix>.smcontext.attributes.ATTR_STATUS_MESSAGE} returns error of authentication or authorization
For more information about the above context variables, see CA Single Sign-On Context Variables.
For more information about the failure reason codes, see "failure_reasons" above.