IBM Support

SSO Token Propagation in Connections 5.5

Technote (troubleshooting)


Problem

Exception getting opaque token from originating server.

com.ibm.websphere.security.auth.WSLoginFailedException: SSO token uniqueID not
null, but opaque token not found. Need to re-challenge the user to login again


Symptom

When attempting to login to connections 5.5 where an SSO solution is in place you may come across behavior where the login page continues to refresh as the login is attempted repeatedly.


Cause

In Websphere Application Server 8.5.5.7 and 8.5.5.8 there are two settings which can contradict each other in certain circumstances if they are both set to true.

Step 28b in the following documentation instructs users to enable security token propagation in the WebSphere Integrated Console. This step instructs WebSphere to request user object information from the upstream server where the request originated. If this token propagation is not selected, WAS will attempt to get user object information from the LDAP.
http://www.ibm.com/support/knowledgecenter/SSYGQH_5.5.0/admin/install/t_inst_federated_repositories.html

In these versions, there is a custom security property which is set to true by default:
com.ibm.websphere.security.disableGetTokenFromMBean = true

This setting can contradict the propagation setting and result in the above error.


Resolving the problem

There are two options to resolve this issue.

1) Disable security token propagation which will force WAS to get a user object from LDAP

2) Set the custom property to False to allow WAS to get the user object from the originating server.

This decision is a performance decision depending on overall system traffic.

Document information

More support for: IBM Connections

Software version: 5.5

Operating system(s): AIX, Linux, Windows

Reference #: 1986804

Modified date: 22 July 2016


Translate this page: