Support Article

SSO: LDAP Timeout can't re-login as same user (Mixed Case)

SA-27750

Summary



When a session timeout occurs, user is unable to re-login with a different username or password, this is correct behavior. 

However, sometimes the user is not able to login even with the same username or password. They get the same error "May Not Change Username during Timeout revalidation"


Error Messages



"May Not Change Username during Timeout revalidation"


Steps to Reproduce



(Uses LDAP and pxSessionTimer prompting for authentication on timeout)

1. Log into PRPC Application using all lower case Username.  (example: endusera)
2. Wait for session time out (5 min).
3. Request for credentials displays in popup window. 
4. End username and password. Use same user name but mix case (example: endUserA).

Error displayed:  "
May Not Change Username during Timeout revalidation"

Root Cause



The PRPC authentication engine layer is looking the users OperatorID page and comparing the existing pyUserIdentifer property with the incoming value set during the login and timeout activities.

The comparison is done with out normalizing to lower case. The makes it so the case  

Resolution



Update both the login and timeout activities to normalize the "param.UserIdentifer" to lower case when setting .pyUserIdentifier

Both login and timeout activities will have a step that looks like this:


Change param.UserIdentifier to @toLowerCase(param.UserIdentifier)

Published September 8, 2016 - Updated September 15, 2016


100% found this useful

Have a question? Get answers now.

Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.