000023109 - The SAML authentication context is not mapped to a local authentication context.

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000023109
Applies ToFederated Identity Management Module 3.0
IssueError message: The SAML authentication context is not mapped to a local authentication context. Please inspect your local Authentication Policy.
Error stack trace:
com.rsa.fim.profile.sso.SSOProfileException: The SAML authentication context is not mapped to a local authentication context. Please inspect your local Authentication Policy.  
 at com.rsa.fim.profile.sso.SSOProfileBean.processResponse(SSOProfileBean.java:2487)
 at com.rsa.fim.profile.sso.SSOProfile_5wyj3w_EOImpl.processResponse(SSOProfile_5wyj3w_EOImpl.java:100)
 at com.rsa.fim.servlet.sso.AssertionConsumerService.doGet(AssertionConsumerService.java:64)
Cause

Where an IdP sends an SSO message to an SP then the authentication methods being used by the respective parties need to match in some way.  A mapping must exist which allows for some level of translation to go from the generic formal SAML method into the localized mechanism implemented by the end system.

The problem can be seen if you follow these steps:

As part of a SAML Response message the IdP will send an authentication context as follows:

     <saml:AuthnContext>
             <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
     </saml:AuthnContext>

The problem is that no appropriate mapping has been configured in the FIM 3.0 configuration (by default FIM 3.0 is configured to map only urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport)

Resolution

Modify the FIM configuration to map the supplied SAML authentication mechanism as follows

Connect to the FIM 3.0 configuration (for example http://localhost:7001/fimconfig/

Select Policies -> Authentication -> Manage existing to display the list of available authentication policies

Click on RSA Access Manager Authentication Policy and select Edit

Click on the Map Authentication Methods tab

Scroll down to the SAML to Local Authentication Methods section

From the SAML Method pulldown menu select Password and on the Local Method pulldown menu select BASIC then click Add

This should add an entry to the listbox of urn:oasis:names:tc:SAML:2.0:ac:classes:Password maps to BASIC

Notice that the SAML authentication mechanism we have selected matches the value shown in the example above.  Now the system should run correctly.

If the connection is also working in the other direction where we need to map a local method to a SAML method then this is also done on this form but is managed in the section higher up the page.

 

Legacy Article IDa32268

Attachments

    Outcomes