000014187 - FIM federation does not work because of token IP mismatch.

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000014187
Applies ToFederated Identity Management Module 2.6
ClearTrust Server 5.5.3
IssueFIM federation does not work because of token IP mismatch.
RSA FIM ClearTrust integration Demo from "Appendix F" in the FIM 2.6 configuration guide does not work.   User is prompted for second authentication after federation.

ctagent.log shows the following message:

2009-04-06 10:05:00 -0400 - [1360] - <Info> - Token client IP address do not match any excluded IP addresses
2009-04-06 10:05:00 -0400 - [1360] - <Security> - Token IP and client IP address do not match
2009-04-06 10:05:00 -0400 - [1360] - <Warning> - Invalid return value from cookie processing: 7902

CauseThis error message indicates that the CTSESSION token created by RSA FIM is not accepted by the RSA Agent because the cookie token IP address does not match the original IP address used by the browser.   RSA FIM creates a token with the IP address matching the RSA FIM server. 
ResolutionEnsure that the token created by FIM is accepted by the agent by disabling the agent setting cleartrust.agent.cookie_ip_check=False, or by adding the IP address of the FIM server to the cleartrust.agent.ip_check_exclusion_list= in the webagent.conf file.
Legacy Article IDa45480

Attachments

    Outcomes