09-12-2019 10:42 AM
Our web server is setup to use SiteMinder authenticator. The asp.net identity account has access to the registry key. The token was copied from Web to App server using the Single Sign On Config app while running as administrator.
The problem is I'm getting an error saying the account is locked or incorrect. However, the account is in good standing.
The following was pulled from the trace log on the App Server.
The 4th message indicates to me SSO authenticated successfully. Or am I reading it wrong. Where else should I look? We have this setup successfully in Production but failing in our DR environment.
09-12-2019 12:14 PM
Hi Stephen,
We use the Shibboleth SP in in IIS (and we used to use Oracle WebGate in IIS) to turn single-sign on into Siteminder-like authentication to AppNet (it is the SiteMinder license we have installed).
I think (4) says that the payload has been validated - it is formatted, it is trusted base don the shared keys - but five says it couldn't match a user to the SiteMinder payload.
Your AppNet web.config has a <Hyland.Authentication> section, that probably includes some <properties>.
<add key="userIDHeader" value="UID" /> will tell it to look for a username in an incoming server variable named "HTTP_UID". That might need to be set to something specific to your SiteMinder setup.
You can also add these keys to that section of the AppNet web.config get more information logged for troubleshooting (pending other web.config mailslot settings too):
<add key="logUserName" value="true" />
<add key="logServerVariables" value="true />
Do you have the document "Single Sign-On for Shibboleth/SiteMinder"? I don't think it has ever been easy to get through Community. Version 1 was written in Twenty-Thirteen (I spelled that out because Community is trying to turn the digit two into an at-mention), I think by Ian Cordova in the Custom Solutions Group at the time. It was immensely helpful to us when other Hyland employees didn't know he document existed, and as far as I can tell it is still relatively accurate today (we've done this on OnBase v17). I'm happy to help you get a copy with some annotations that we made if you don't have it.
09-12-2019 12:14 PM
Hi Stephen,
We use the Shibboleth SP in in IIS (and we used to use Oracle WebGate in IIS) to turn single-sign on into Siteminder-like authentication to AppNet (it is the SiteMinder license we have installed).
I think (4) says that the payload has been validated - it is formatted, it is trusted base don the shared keys - but five says it couldn't match a user to the SiteMinder payload.
Your AppNet web.config has a <Hyland.Authentication> section, that probably includes some <properties>.
<add key="userIDHeader" value="UID" /> will tell it to look for a username in an incoming server variable named "HTTP_UID". That might need to be set to something specific to your SiteMinder setup.
You can also add these keys to that section of the AppNet web.config get more information logged for troubleshooting (pending other web.config mailslot settings too):
<add key="logUserName" value="true" />
<add key="logServerVariables" value="true />
Do you have the document "Single Sign-On for Shibboleth/SiteMinder"? I don't think it has ever been easy to get through Community. Version 1 was written in Twenty-Thirteen (I spelled that out because Community is trying to turn the digit two into an at-mention), I think by Ian Cordova in the Custom Solutions Group at the time. It was immensely helpful to us when other Hyland employees didn't know he document existed, and as far as I can tell it is still relatively accurate today (we've done this on OnBase v17). I'm happy to help you get a copy with some annotations that we made if you don't have it.
09-12-2019 12:41 PM
I was missing the following property <add key="userIDHeader" value="UID" />.
I feel like I'm fighting myself sometimes since I'll have the web.config file open and make changes there and/or have WAMCON open and make changes there. This will blow each other's changes since I know I had the property in there one time or another. Either way... THANK YOU!!
Do you mind sending me that document? I feel like I've happened upon it before, but don't seem to have a saved copy. Please send it to stephen.dinh@pemco.com.
10-15-2019 02:05 AM
Find what you came for
We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.