Topic
  • 6 replies
  • Latest Post - ‏2013-12-18T09:16:06Z by Pavel_Bely
Pavel_Bely
Pavel_Bely
7 Posts

Pinned topic ITIM. Unable to determine the user ID for single sign-on.

‏2013-11-18T14:31:20Z |

Hello all,

I am trying to implement ITIM SSO through WebSEAL and getting CTGIMU531E Unable to determine the user ID for single sign-on.

I have the following environment set up on a single Linux server:
IBM WebSphere 6.1
DB2 9.1
ITIM 5.1
ITAM 6.1.1 with WebSEAL
TDI 7.1

I have followed all the steps in Configuring single sign-on http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=%2Fcom.ibm.itim.doc%2Ftop%2Flanding-security.html

  • I have set in enRoleAuthentication.properties:

enrole.authentication.idsEqual=false

  • and the following in ui.properties:

###########################################################
# Properties used by Single Sign On with WebSeal and TAM only
###########################################################

# Single Sign On enabled (true|false)
enrole.ui.ssoEnabled=true

# ############
# ############ I have added this line according to Configuring IBM Security Identity Manager to use single sign-on
# ############
enrole.ui.taiEnabled=true

# Encoding Scheme to decode User Credentials in Single Sign On
enrole.ui.ssoEncoding=UTF-8

 

  • I have created SSL junction:
    server task default-webseald-belytest.iba create -t ssl -s -j -e utf8_uri -c iv_user -p 9443 -h belytest /itimserver
     
  • And performed all the necessary with ACLs and ITAM groups definition.

But I still can not perform single sign on to ITIM.
This is what i got in trace.log:<Trace Level="MIN">
 <Time Millis="1384782963824"> 2013.11.18 15:56:03.824+02:00</Time>
 <Server Format="IP">belytest.iba</Server>
 <ProductId>CTGIM</ProductId>
 <Component>com.ibm.itim.ui</Component>
 <ProductInstance>server1</ProductInstance>
 <LogText><![CDATA[CTGIMU531E Unable to determine the user ID for single sign-on.]]></LogText>
 <Source FileName="(null)" Method="null"/>
 <Thread>WebContainer : 0</Thread>
 <Exception><![CDATA[com.ibm.itim.ui.exception.ITIMUISSOUserIdNotFoundException: CTGIMU531E Unable to determine the user ID for single sign-on.
    at com.ibm.itim.ui.sso.TAMIVHeaderSSOAdapter.isAuthenticated(TAMIVHeaderSSOAdapter.java:53)
    at com.ibm.itim.ui.controller.ITIMControlServlet.loadLogin(ITIMControlServlet.java:1152)
    at com.ibm.itim.ui.controller.ITIMControlServlet.handleBaseServletRequest(ITIMControlServlet.java:1130)
    at com.ibm.itim.ui.controller.ITIMControlServlet.doGet(ITIMControlServlet.java:253)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:743)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:856)
    at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:966)
    at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:907)
    at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:145)
    at com.ibm.itim.ui.impl.customform.SubFormLegacyFilter.doFilter(SubFormLegacyFilter.java:60)
    at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:190)
    at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:130)
    at com.ibm.ws.webcontainer.filter.WebAppFilterChain._doFilter(WebAppFilterChain.java:87)
    at com.ibm.ws.webcontainer.filter.WebAppFilterManager.doFilter(WebAppFilterManager.java:696)
    at com.ibm.ws.webcontainer.filter.WebAppFilterManager.doFilter(WebAppFilterManager.java:641)
    at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:475)
    at com.ibm.ws.wswebcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:463)
    at com.ibm.ws.webcontainer.webapp.WebApp.handleRequest(WebApp.java:3107)
    at com.ibm.ws.webcontainer.webapp.WebGroup.handleRequest(WebGroup.java:238)
    at com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:811)
    at com.ibm.ws.wswebcontainer.WebContainer.handleRequest(WebContainer.java:1425)
    at com.ibm.ws.webcontainer.channel.WCChannelLink.ready(WCChannelLink.java:92)
    at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleDiscrimination(HttpInboundLink.java:465)
    at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleNewInformation(HttpInboundLink.java:394)
    at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.ready(HttpInboundLink.java:274)
    at com.ibm.ws.tcp.channel.impl.NewConnectionInitialReadCallback.sendToDiscriminators(NewConnectionInitialReadCallback.java:214)
    at com.ibm.ws.tcp.channel.impl.NewConnectionInitialReadCallback.complete(NewConnectionInitialReadCallback.java:113)
    at com.ibm.ws.tcp.channel.impl.AioReadCompletionListener.futureCompleted(AioReadCompletionListener.java:152)
    at com.ibm.io.async.AbstractAsyncFuture.invokeCallback(AbstractAsyncFuture.java:213)
    at com.ibm.io.async.AbstractAsyncFuture.fireCompletionActions(AbstractAsyncFuture.java:195)
    at com.ibm.io.async.AsyncFuture.completed(AsyncFuture.java:136)
    at com.ibm.io.async.ResultHandler.complete(ResultHandler.java:193)
    at com.ibm.io.async.ResultHandler.runEventProcessingLoop(ResultHandler.java:725)
    at com.ibm.io.async.ResultHandler$2.run(ResultHandler.java:847)
    at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1498)
]]></Exception>
</Trace>

and in msg.log:

<Message Id="None" Severity="WARN">
 <Time Millis="1384782963822"> 2013.11.18 15:56:03.822+02:00</Time>
 <Server Format="IP">belytest.iba</Server>
 <ProductId>CTGIM</ProductId>
 <Component>com.ibm.itim.ui</Component>
 <ProductInstance>server1</ProductInstance>
 <LogText><![CDATA[CJL0004E Message key CTGIMU531E Unable to determine the user ID for single sign-on. was not found in the message file com.ibm.itim.ui.resources.UIMessageResources .]]></LogText>
 <Source FileName="(null)" Method="null"/>
 <TranslationInfo Type="JAVA" Catalog="com.ibm.itim.ui.resources.UIMessageResources" MsgKey="CTGIMU531E Unable to determine the user ID for single sign-on."></TranslationInfo>
</Message>
 

Could you please help resolving this issue.
Many thanks in advance.

  • yn2000
    yn2000
    1112 Posts
    ACCEPTED ANSWER

    Re: ITIM. Unable to determine the user ID for single sign-on.

    ‏2013-11-19T14:33:04Z  

    Thank you very much for your prompt responses, goonitsupport and Padam!

    But I suppose that the user account I logged into WebSEAL (sec_master) existed also for ITIM (ITIM Manager).

    Please see below System Administrator user accounts:

     

    Since ITIM and ITAM account are not equal I have specified

    • I have set in enRoleAuthentication.properties:

    enrole.authentication.idsEqual=false

     

    Should I perform any further configuration for these accounts to be recognized?

    Thanks in advance.

     

     

    Where does it say to use "enrole.ui.taiEnabled=true". I don't remember this step (but I may be wrong).

    Good luck

    I have picked up this information from Configuring IBM Security Identity Manager.
    Have already deleted this line, thanks.

    Try: enrole.authentication.idsEqual=true

    You have to configure the TAM GSO junction, if you set enrole.authentication.idsEqual=false

    Rgds, YN

  • goonitsupport
    goonitsupport
    117 Posts

    Re: ITIM. Unable to determine the user ID for single sign-on.

    ‏2013-11-18T22:00:04Z  

    hmm, a bit back level for me.

     

    But, what is the user you are logging onto WebSEAL with and does it exist in ITIM (ITIM User Account).

     

    Where does it say to use "enrole.ui.taiEnabled=true". I don't remember this step (but I may be wrong).

    Good luck

  • Padam Khatana
    Padam Khatana
    15 Posts

    Re: ITIM. Unable to determine the user ID for single sign-on.

    ‏2013-11-19T06:51:16Z  

    hmm, a bit back level for me.

     

    But, what is the user you are logging onto WebSEAL with and does it exist in ITIM (ITIM User Account).

     

    Where does it say to use "enrole.ui.taiEnabled=true". I don't remember this step (but I may be wrong).

    Good luck

    Since in junction iv_user is passed so user with which logged in TAM Webseal, it has valid ITIM account in ITIM. If not then only you will get this error.

     

    HTH,

    Padam Khatana

  • Pavel_Bely
    Pavel_Bely
    7 Posts

    Re: ITIM. Unable to determine the user ID for single sign-on.

    ‏2013-11-19T09:10:38Z  

    Since in junction iv_user is passed so user with which logged in TAM Webseal, it has valid ITIM account in ITIM. If not then only you will get this error.

     

    HTH,

    Padam Khatana

    Thank you very much for your prompt responses, goonitsupport and Padam!

    But I suppose that the user account I logged into WebSEAL (sec_master) existed also for ITIM (ITIM Manager).

    Please see below System Administrator user accounts:

     

    Since ITIM and ITAM account are not equal I have specified

    • I have set in enRoleAuthentication.properties:

    enrole.authentication.idsEqual=false

     

    Should I perform any further configuration for these accounts to be recognized?

    Thanks in advance.

     

     

    Where does it say to use "enrole.ui.taiEnabled=true". I don't remember this step (but I may be wrong).

    Good luck

    I have picked up this information from Configuring IBM Security Identity Manager.
    Have already deleted this line, thanks.

    Updated on 2013-11-19T09:21:05Z at 2013-11-19T09:21:05Z by Pavel_Bely
  • franzw
    franzw
    396 Posts

    Re: ITIM. Unable to determine the user ID for single sign-on.

    ‏2013-11-19T09:33:16Z  

    Thank you very much for your prompt responses, goonitsupport and Padam!

    But I suppose that the user account I logged into WebSEAL (sec_master) existed also for ITIM (ITIM Manager).

    Please see below System Administrator user accounts:

     

    Since ITIM and ITAM account are not equal I have specified

    • I have set in enRoleAuthentication.properties:

    enrole.authentication.idsEqual=false

     

    Should I perform any further configuration for these accounts to be recognized?

    Thanks in advance.

     

     

    Where does it say to use "enrole.ui.taiEnabled=true". I don't remember this step (but I may be wrong).

    Good luck

    I have picked up this information from Configuring IBM Security Identity Manager.
    Have already deleted this line, thanks.

    You are misunderstanding the Account concept for SSO. To login into ITIM you use ITIM accounts.

    You need to have an sec_master account on the ITIM Service to make it work - it is not enough to have it as a managed account within ITIM.

    HTH

    Regards

    Franz Wolfhagen

  • yn2000
    yn2000
    1112 Posts

    Re: ITIM. Unable to determine the user ID for single sign-on.

    ‏2013-11-19T14:33:04Z  

    Thank you very much for your prompt responses, goonitsupport and Padam!

    But I suppose that the user account I logged into WebSEAL (sec_master) existed also for ITIM (ITIM Manager).

    Please see below System Administrator user accounts:

     

    Since ITIM and ITAM account are not equal I have specified

    • I have set in enRoleAuthentication.properties:

    enrole.authentication.idsEqual=false

     

    Should I perform any further configuration for these accounts to be recognized?

    Thanks in advance.

     

     

    Where does it say to use "enrole.ui.taiEnabled=true". I don't remember this step (but I may be wrong).

    Good luck

    I have picked up this information from Configuring IBM Security Identity Manager.
    Have already deleted this line, thanks.

    Try: enrole.authentication.idsEqual=true

    You have to configure the TAM GSO junction, if you set enrole.authentication.idsEqual=false

    Rgds, YN

  • Pavel_Bely
    Pavel_Bely
    7 Posts

    Re: ITIM. Unable to determine the user ID for single sign-on.

    ‏2013-12-18T09:16:06Z  

    Finally I managed to setup SSO to ITIM.
    The problem was that I could not get it working for user that has non-identical accounts in ITAM and ITIM services.

    I tried to set
    enrole.authentication.idsEqual=false
    but then I should have created GSO junction and perform some more configuration.

    So I ended up with
    enrole.authentication.idsEqual=true
    and added the user that has identical accounts in ITIM and ITAM to administrative group.

    Thank you all for your help!

    Updated on 2013-12-18T10:45:40Z at 2013-12-18T10:45:40Z by Pavel_Bely