Troubleshooting
Problem
Attempts to enable SSO results in the error exception in authenticating csrf token in IBM Sterling Order Management 9.2.
Symptom
When SSO (single sign on) is enabled, below error is noticed in 9.2 version in application server log. In 9.2, by default CSRF (cross site request forgery) security feature is enabled.
<Errors>
<Error
ErrorCode="exception in authenticating csrf token :/smcfs/console/home.detail"
ErrorDescription="Error description not available"ErrorRelatedMoreInfo="">
<Attribute Name="ErrorCode" Value="exception in authenticatingcsrf token :/smcfs/console/home.detail"/>
Cause
With SSO enabled, product redirects flow to smcfs/console/home.detail without token after SSO has authenticated user access.
Diagnosing The Problem
When CSRF is enabled, each URL will be appended with its own token which needs to be passed. When SSO is enabled, product will redirect flow to smcfs/console/home.detail without token after SSO has authenticated user access. As URL is without token, validation error is thrown.
Resolving The Problem
To resolve, exclude the url /console/home.detail in the sc.csrf.bypass.uri list in web.xml.
This way you will be able to access the application's home page ( SSO implementation will be called to authenticate the user). Any further URLs accessed will work the same way as earlier.
The first URL which is used to access the application (in this case, it is console/home.detail) needs to be excluded from csrf validation. This is because when user accesses the first URL, the authentication logic has not been executed yet and hence token is not generated. This means that the system cannot compare the tokens.
In standard login (i.e without SSO), the first URL is console/login.jsp, and hence it is excluded by default from csrf validation again because of the same reason as above i.e. token has not yet been generated so it cannot be compared with anything.
Was this topic helpful?
Document Information
Modified date:
10 May 2022
UID
swg21622043