000013743 - FIM error 'The name ID plug-in configuration for this format could not be retrieved'

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000013743
Applies ToRSA Federated Identity Mapping FIM 4.1
Issue
FIM error "The name ID plug-in configuration for this format could not be retrieved"

The following exception is generated by FIM:
2011-08-30 11:48:15,965, (SAML11AssertionConsumerServiceServlet.java:81), fim.rsa.com, , , , A ProfileException was encountered, com.rsa.fim.profile.sso.SSOProfileException: The name ID plug-in configuration for this format could not be retrieved
        at com.rsa.fim.profile.sso.SSOHelper.nullCheck(SSOHelper.java:394)
CauseThis error indicates that there is currently no nameID plugin configured to handle the unspecified nameID type.  By default most of the default FIM 4.1 plugins are not configured to accept this nameID format. Since the data in the unspecified format could be of any type it may not be obvious which plugin is appropriate.  The customer may have to write their own plugin to handle assertions with this nameID format but often it is possible to use one of the existing plugins.  
ResolutionIf the value passed as the nameID is parsable by one of the existing plugins then all that is required is to modify the pluign.xml to accept the unspecified nameID format.  For example for nameID in the format of a UID you can use the GenericNameIdPlugin plugin.  Edit the plugin.xml file for the GenericNameIdPlugin plugin and add a line for the SAML 1.1 unspecified format.  (Note that some SAML documentation incorrectly implies that there is a SAML 2.0 unspecified nameID format.  This is incorrect.  The unspecifed nameID is a SAML 1.1 format, although SAML 2.0 does support all of the SAML 1.1 formats.)
<StaticField Key="SupportedNameIDs"> 
<Value>urn:oasis:names:tc:SAML:1.0:assertion#X509SubjectName</Value> 
<Value>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</Value> 
<!-- <Value>urn:oasis:names:tc:SAML:1.0:assertion#emailAddress</Value> 
<Value>urn:oasis:names:tc:SAML:1.0:assertion#WindowsDomainQualifiedName</Value>    --> 
</StaticField> 
Once the plugin.xml has been modifed you will need to restart FIM to support the new nameID type.  
Create a new plugin definition in the FIM console.  Under the "Plugin configuration" tab enter "unspecified" as the "Local name ID Format".
Now when you go to the association page under"Federated Identity Options" in the "Name Identifier Types" section you will see a new entry for the "unspecified Plug-in".  Select this as the plugin to use for your partner association and the nameID should now be correctly parsed.
WorkaroundThe assertion is using a SAML 1.1 unspecified nameID format.   The value is actaully a UID with a string value.
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified 
Legacy Article IDa55866

Attachments

    Outcomes