CA Single Sign-On Errors

This topic provides troubleshooting assistance when using the gateway with CA Single Sign-On.
gateway83
This topic provides troubleshooting assistance when using the
Layer7 API Gateway
with CA Single Sign-On.
CA Single Sign-On Authentication and Authorization Errors
The following table lists the failure values that can be returned during CA Single Sign-On authentication or authorization. The failure reason value is stored in the ${<prefix>.smcontext.attributes.SESS_DEF_REASON} context variable.
The CA Single Sign-On Policy Server must be configured to support SM session failure reason codes, otherwise failure reason "0" will always be returned. Not all failures result in a specific code being returned. For example, errors such as incorrect user credentials will result in code "0" being returned.
Value
Reason
Value
Reason
0
None
26
NoRedirectConfigured
1
PwMustChange
27
ErrorMessageIsRedirect
2
InvalidSession
28
Next_Tokencode
3
RevokedSession
29
New_PIN_Select
4
ExpiredSession
30
New_PIN_Sys_Tokencode
5
AuthLevelTooLow
31
New_User_PIN_Tokencode
6
UnknownUser
32
New_PIN_Accepted
7
UserDisabled
33
Guest
8
InvalidSessionId
34
PWSelfChange
9
InvalidSessionIp
35
ServerException
10
CertificateRevoked
36
UnknownScheme
11
CRLOutOfDate
37
UnsupportedScheme
12
CertRevokedKeyCompromised
38
Misconfigured
13
CertRevokedAffiliationChange
39
BufferOverflow
14
CertOnHold
40
SetPersistentSessionFailed
15
TokenCardChallenge
41
UserLogout
16
ImpersonatedUserNotInDir
42
IdleSession
17
Anonymous
43
PolicyServerEnforcedTimeout
18
PwWillExpire
44
PolicyServerEnforcedIdle
19
PwExpired
45
ImpersonationNotAllowed
20
ImmedPWChangeRequired
46
ImpersonationNotAllowedUser
21
PWChangeFailed
47
FederationNoLoginID
22
BadPWChange
48
FederationUserNotInDir
23
PWChangeAccepted
49
FederationInvalidMessage
24
ExcessiveFailedLoginAttempts
50
FederationUnacceptedMessage
25
AccountInactivity
 
 
CA Single Sign-On Assertions Errors
This section describes some of the error conditions you may encounter while using the CA Single Sign-On assertions.
Check Protected Resource Errors
When the Check Protected Resource Against CA Single Sign-On Assertion is configured to use a resource that is not protected by CA Single Sign-On, the assertion will fail and the following audit message is logged:
WARNING 10102 CA Single Sign-On Check Protected Resource Against CA Single Sign-On assertion: The resource <resource> is not protected!
Unsupported Actions
An unsupported or invalid action entered in the Assertion Status Codes). The following audit message is also logged:
WARNING 10102 CA Single Sign-On Authorize via CA Single Sign-On assertion: SM Sessions null is not authorized!
Authentication Failure
When the Authenticate Against CA Single Sign-On Assertion fails, the following audit message is logged:
WARNING 10102 CA Single Sign-On Authenticate Against CA Single Sign-On assertion: CA Single Sign-On Authenticate Against CA Single Sign-On assertion: Unable to authenticate user using SSO Token:<token sent>
Authentication/Authorization Errors
When there is a CA Single Sign-On authentication or authorization failure, consult the following context variables to help you troubleshoot:
  • ${<prefix>.smcontext.attributes.SESS_DEF_REASON} returns the reason code from the CA Single Sign-On Policy Server
  • ${<prefix>.smcontext.attributes.ATTR_STATUS_MESSAGE} returns error of authentication or authorization
For more information about the above context variables, see CA Single Sign-On Context Variables.
For more information about the failure reason codes, see "failure_reasons" above.