Support Article
SSO: LDAP Timeout can't re-login as same user (Mixed Case)
SA-27750
Summary
When a session timeout occurs, user is unable to re-login with a different username or password, this is correct behavior.
However, sometimes the user is not able to login even with the same username or password. They get the same error "May Not Change Username during Timeout revalidation"
Error Messages
"May Not Change Username during Timeout revalidation"
Steps to Reproduce
(Uses LDAP and pxSessionTimer prompting for authentication on timeout)
1. Log into PRPC Application using all lower case Username. (example: endusera)
2. Wait for session time out (5 min).
3. Request for credentials displays in popup window.
4. End username and password. Use same user name but mix case (example: endUserA).
Error displayed: "May Not Change Username during Timeout revalidation"
Root Cause
The PRPC authentication engine layer is looking the users OperatorID page and comparing the existing pyUserIdentifer property with the incoming value set during the login and timeout activities.
The comparison is done with out normalizing to lower case. The makes it so the case
Resolution
Update both the login and timeout activities to normalize the "param.UserIdentifer" to lower case when setting .pyUserIdentifier
Both login and timeout activities will have a step that looks like this:
Change param.UserIdentifier to @toLowerCase(param.UserIdentifier)
Published September 15, 2016 - Updated December 2, 2021
Have a question? Get answers now.
Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.