This section contains the following topics:
Users Challenged by PeopleSoft after Authenticating with CA SSO
Valid on Weblogic server
Symptom:
Users are challenged by for their credentials, even after successfully authenticating with CA SSO. This occurs when a default setting in the config.xml file of Weblogic server is not changed when CA SSO is used.
Solution:
Change the default setting with the following steps:
<enforce-valid-basic-auth-credentials>true</enforce-valid-basic-auth-credentials>
Note: If the previous tag does not exist, add it before the following tag in the config.xml file:
</security-configuration>
<enforce-valid-basic-auth-credentials>false</enforce-valid-basic-auth-credentials>
Perform the following procedure to verify the CA SSO policies.
Follow these steps:
Note: If a red indicator appears or the PSUSERNAME and/or NPSSessionLinker responses do not appear in the Attributes box, examine the Policy Server configuration and logs. The PSUSERNAME response should hold a valid PeopleSoft username.
If the web browser shows a 500 Server Error page, or if the web browser continuously returns to the login page, check the Web Agent log.
For a solution to these problems, see the CA SSO documentation.
Further diagnosis is beyond the scope of this document, but an examination of the Web Agent log file might reveal the solution.
The PeopleCode logs six stages during a successful authentication, as shown in the following table. The stage numbers are not actually called out in the log.
|
Stage |
Log Text |
Description |
|---|---|---|
|
1 |
Calling SmSSOSetLogging |
PeopleCode is making its first call to the Validation Library (SMPSLoginLib). This is intended as a checkpoint to indicate that PeopleCode has been called, and is attempting to do its work. |
|
2 |
Done calling DLL |
PeopleCode has succeeded in calling the first DLL entry point, indicating that it has located, loaded, and used the DLL. |
|
3 |
Authentication request received for DEFAULT_USER... |
A login attempt has occurred for CA SSO integration, thus the remaining PeopleCode should be run. |
|
4 |
Checking user KC0003 |
PeopleCode is checking the validity of the user who just attempted to log in. |
|
5 |
User KC0003 OK with CA SSO |
The Validation Library has indicated that the information provided matches the expected values and that the login attempt should be allowed. |
|
6 |
Finished processing request |
Final checkpoint before PeopleCode returns control to the PeopleSoft application server. PeopleSoft controls authorization only after a successful authentication attempt from PeopleCode. |
If no log file is created, check the following:
Reaching this stage means that PeopleCode is being called when a user logs in. If no further entries appear in the log, the PeopleSoft application server probably cannot locate the Validation Library. Verify that the Validation Library is installed in the correct directory.
Stage 3 indicates that an authentication attempt has been received for the user DEFAULT_USER. If the Stage 3 entry does not appear in the log file, make sure the default user is enabled.
If the text failed to get header PSUSERNAME appears instead of the text Checking user, the CA SSO HTTP header response PSUSERNAME does not appear in the HTTP request. Verify the CA SSO response through the use of the CA SSO Test Tool and the Web Agent log files.
If the following text appears, Login Library is unable to verify the user’s session information:
User XXX, session … not acceptable… rejecting
Examine the Login Library log file for any indication of configuration problems.
If the PeopleSoft application server does not reach Stage 6, it may have crashed between Login Library’s successful response and the end of the SITEMINDER_SSO function. Examine PeopleCode for a potential cause, which is likely to be something external to any of the PeopleSoft agent binaries.
PeopleCode contains the function SmSSOSetLogging, which takes two parameters:
The following table shows the log level parameter values along with their meanings and indicators.
|
Level |
Log Indicator |
Meaning |
|---|---|---|
|
0 |
No indicator; no log file |
None; the log file is off |
|
1 |
ERR |
Errors only; errors in initialization and communication are logged |
|
2 |
INF |
Informational; at this level information indicating the root cause of the problem is shown. The specific cause of the problem will probably not appear. |
|
3 |
DBG |
Debug; information not typically useful in production environments. |
|
4 |
XXX |
Extra; the information shown is intended as an aid in locating problems in the Login Library code itself, and intended for CA Technical Support. |
Perform the following procedure to determine the level to set.
Follow these steps:
|
Copyright © 2015 CA Technologies.
All rights reserved.
|
|