000022114 - Error: 'TokenException: User must be specified in the map' in RSA Federated Identity Manager (FIM)

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000022114
Applies ToRSA Federated Identity Manager (FIM) 2.5
RSA ClearTrust Agent 4.6 for Microsoft IIS

Microsoft Windows 2000 Professional
Microsoft Internet Information Server (IIS)
IssueError: "TokenException: User must be specified in the map" in RSA Federated Identity Manager (FIM)
After completing the setup in appendix D in the FIM 2.5 installation guide and navigating to http://machinename.com:7001/samlassertingparty/SamlSsoDemo.jsp click on the Employee Login link: http://machinename.com/cleartrust/ct_logon.asp?CTAuthMode=BASIC&ct_orig_uri=http://machinename.com:7001/samlassertingparty/SamlSsoDemo.jsp and authenticate at the ClearTrust prompt using user2. Once completed, navigate back to http://machinename.com:7001/samlassertingparty/SamlSsoDemo.jsp and click on the Partner Link of http://machinename.com:7001/samlassertingparty/AP?TARGET=http://machinename.com/protectedpage.html and the browser shows the following:

Error 500 - Internal Server Error
The server encountered the following unexpected condition: Error in RSA Federated Identity Manager: Error encountered in Relying Party servlet: com.rsa.csf.common.exceptionbase.CsfApplicationException: Error in Relying Party while processing Asserting Party response: ; nested exception is: com.rsa.csf.common.exceptionbase.CsfApplicationException: Cannot create ticket from ticketPlugin class: com.rsa.csf.techservice.saml.plugins.CtTicketPluginRP; nested exception is: com.rsa.csf.techservice.saml.plugins.TicketPluginException: unable to create a ClearTrust token: sirrus.runtime.TokenException: User must be specified in the map

stack trace of outer exception:
com.rsa.csf.clientservice.saml.SamlSsoRelyingPartyServiceBean.processSamlSsoResponse(Ljava.lang.String;Ljava.lang.String;Z)Lcom.rsa.csf.techservice.saml.common.RelyingPartySsoResult;(Unknown Source)
com.rsa.csf.clientservice.saml.SamlSsoRelyingPartyService_h7evde_EOImpl.processSamlSsoResponse(Ljava.lang.String;Ljava.lang.String;Z)Lcom.rsa.csf.techservice.saml.common.RelyingPartySsoResult;(SamlSsoRelyingPartyService_h7evde_EOImpl.java:46)
com.rsa.csf.clientservice.saml.SamlSsoRelyingPartyServiceProxyClient.processSamlSsoResponse(Ljava.lang.String;Ljava.lang.String;Z)Lcom.rsa.csf.techservice.saml.common.RelyingPartySsoResult;(Unknown Source)
com.rsa.csf.application.saml.SamlSsoRelyingPartyServlet.doGet(Ljavax.servlet.http.HttpServletRequest;Ljavax.servlet.http.HttpServletResponse;)V(Unknown Source)
javax.servlet.http.HttpServlet.service(Ljavax.servlet.http.HttpServletRequest;Ljavax.servlet.http.HttpServletResponse;)V(HttpServlet.java:740)
javax.servlet.http.HttpServlet.service(Ljavax.servlet.ServletRequest;Ljavax.servlet.ServletResponse;)V(HttpServlet.java:853)
weblogic.servlet.internal.ServletStubImpl$ServletInvocationAction.run()Ljava.lang.Object;(ServletStubImpl.java:971)
weblogic.servlet.internal.ServletStubImpl.invokeServlet(Ljavax.servlet.ServletRequest;Ljavax.servlet.ServletResponse;Lweblogic.servlet.internal.FilterChainImpl;)V(ServletStubImpl.java:402)
weblogic.servlet.internal.ServletStubImpl.invokeServlet(Ljavax.servlet.ServletRequest;Ljavax.servlet.ServletResponse;)V(ServletStubImpl.java:305)
weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run()Ljava.lang.Object;(WebAppServletContext.java:6350)
weblogic.security.acl.internal.AuthenticatedSubject.doAs(Lweblogic.security.subject.AbstractSubject;Ljava.security.PrivilegedAction;)Ljava.lang.Object;(AuthenticatedSubject.java:317)
weblogic.security.service.SecurityManager.runAs(Lweblogic.security.acl.internal.AuthenticatedSubject;Lweblogic.security.acl.internal.AuthenticatedSubject;Ljava.security.PrivilegedAction;)Ljava.lang.Object;(SecurityManager.java:118)
weblogic.servlet.internal.WebAppServletContext.invokeServlet(Lweblogic.servlet.internal.ServletRequestImpl;Lweblogic.servlet.internal.ServletResponseImpl;)V(WebAppServletContext.java:3635)
weblogic.servlet.internal.ServletRequestImpl.execute(Lweblogic.kernel.ExecuteThread;)V(ServletRequestImpl.java:2585)
weblogic.kernel.ExecuteThread.execute(Lweblogic.kernel.ExecuteRequest;)V(ExecuteThread.java:197)
weblogic.kernel.ExecuteThread.run()V(ExecuteThread.java:170)
java.lang.Thread.startThreadFromVM(Ljava.lang.Thread;)V(Unknown Source)

stack trace of inner exception:
com.rsa.csf.techservice.saml.common.SamlAssertionProcessor.processSsoAssertion([Lcom.rsa.csf.techservice.saml.opensaml.SAMLAssertion;Lcom.rsa.csf.domain.objects.RPAssertingParty;Ljava.lang.String;)Lcom.rsa.csf.techservice.saml.common.RelyingPartySsoResult;(Unknown Source)
com.rsa.csf.techservice.saml.common.SamlProtocolProcessor.processSsoResponse(Lcom.rsa.csf.techservice.saml.opensaml.SAMLResponse;Ljava.lang.String;Lcom.rsa.csf.techservice.saml.signature.XMLSecurityProvider;Z)Lcom.rsa.csf.techservice.saml.common.RelyingPartySsoResult;(Unknown Source)
com.rsa.csf.techservice.saml.common.SamlProtocolProcessor.processSsoResponse(Ljava.lang.String;Ljava.lang.String;Z)Lcom.rsa.csf.techservice.saml.common.RelyingPartySsoResult;(Unknown Source)
com.rsa.csf.clientservice.saml.SamlSsoRelyingPartyServiceBean.processSamlSsoResponse(Ljava.lang.String;Ljava.lang.String;Z)Lcom.rsa.csf.techservice.saml.common.RelyingPartySsoResult;(Unknown Source)
com.rsa.csf.clientservice.saml.SamlSsoRelyingPartyService_h7evde_EOImpl.processSamlSsoResponse(Ljava.lang.String;Ljava.lang.String;Z)Lcom.rsa.csf.techservice.saml.common.RelyingPartySsoResult;(SamlSsoRelyingPartyService_h7evde_EOImpl.java:46)
com.rsa.csf.clientservice.saml.SamlSsoRelyingPartyServiceProxyClient.processSamlSsoResponse(Ljava.lang.String;Ljava.lang.String;Z)Lcom.rsa.csf.techservice.saml.common.RelyingPartySsoResult;(Unknown Source)
com.rsa.csf.application.saml.SamlSsoRelyingPartyServlet.doGet(Ljavax.servlet.http.HttpServletRequest;Ljavax.servlet.http.HttpServletResponse;)V(Unknown Source)
javax.servlet.http.HttpServlet.service(Ljavax.servlet.http.HttpServletRequest;Ljavax.servlet.http.HttpServletResponse;)V(HttpServlet.java:740)
javax.servlet.http.HttpServlet.service(Ljavax.servlet.ServletRequest;Ljavax.servlet.ServletResponse;)V(HttpServlet.java:853)
weblogic.servlet.internal.ServletStubImpl$ServletInvocationAction.run()Ljava.lang.Object;(ServletStubImpl.java:971)
weblogic.servlet.internal.ServletStubImpl.invokeServlet(Ljavax.servlet.ServletRequest;Ljavax.servlet.ServletResponse;Lweblogic.servlet.internal.FilterChainImpl;)V(ServletStubImpl.java:402)
weblogic.servlet.internal.ServletStubImpl.invokeServlet(Ljavax.servlet.ServletRequest;Ljavax.servlet.ServletResponse;)V(ServletStubImpl.java:305)
weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run()Ljava.lang.Object;(WebAppServletContext.java:6350)
weblogic.security.acl.internal.AuthenticatedSubject.doAs(Lweblogic.security.subject.AbstractSubject;Ljava.security.PrivilegedAction;)Ljava.lang.Object;(AuthenticatedSubject.java:317)
weblogic.security.service.SecurityManager.runAs(Lweblogic.security.acl.internal.AuthenticatedSubject;Lweblogic.security.acl.internal.AuthenticatedSubject;Ljava.security.PrivilegedAction;)Ljava.lang.Object;(SecurityManager.java:118)
weblogic.servlet.internal.WebAppServletContext.invokeServlet(Lweblogic.servlet.internal.ServletRequestImpl;Lweblogic.servlet.internal.ServletResponseImpl;)V(WebAppServletContext.java:3635)
weblogic.servlet.internal.ServletRequestImpl.execute(Lweblogic.kernel.ExecuteThread;)V(ServletRequestImpl.java:2585)
weblogic.kernel.ExecuteThread.execute(Lweblogic.kernel.ExecuteRequest;)V(ExecuteThread.java:197)
weblogic.kernel.ExecuteThread.run()V(ExecuteThread.java:170)
java.lang.Thread.startThreadFromVM(Ljava.lang.Thread;)V(Unknown Source)

stack trace of inner exception:
com.rsa.csf.techservice.saml.plugins.CtTicketPluginRP.createTicketFromWebSsoContext(Ljava.util.List;Lcom.rsa.csf.techservice.saml.common.WebSsoContext;Ljava.util.Map;Ljava.util.Map;)Ljava.util.Map;(Unknown Source)
com.rsa.csf.techservice.saml.common.SamlAssertionProcessor.processSsoAssertion([Lcom.rsa.csf.techservice.saml.opensaml.SAMLAssertion;Lcom.rsa.csf.domain.objects.RPAssertingParty;Ljava.lang.String;)Lcom.rsa.csf.techservice.saml.common.RelyingPartySsoResult;(Unknown Source)
com.rsa.csf.techservice.saml.common.SamlProtocolProcessor.processSsoResponse(Lcom.rsa.csf.techservice.saml.opensaml.SAMLResponse;Ljava.lang.String;Lcom.rsa.csf.techservice.saml.signature.XMLSecurityProvider;Z)Lcom.rsa.csf.techservice.saml.common.RelyingPartySsoResult;(Unknown Source)
com.rsa.csf.techservice.saml.common.SamlProtocolProcessor.processSsoResponse(Ljava.lang.String;Ljava.lang.String;Z)Lcom.rsa.csf.techservice.saml.common.RelyingPartySsoResult;(Unknown Source)
com.rsa.csf.clientservice.saml.SamlSsoRelyingPartyServiceBean.processSamlSsoResponse(Ljava.lang.String;Ljava.lang.String;Z)Lcom.rsa.csf.techservice.saml.common.RelyingPartySsoResult;(Unknown Source)
com.rsa.csf.clientservice.saml.SamlSsoRelyingPartyService_h7evde_EOImpl.processSamlSsoResponse(Ljava.lang.String;Ljava.lang.String;Z)Lcom.rsa.csf.techservice.saml.common.RelyingPartySsoResult;(SamlSsoRelyingPartyService_h7evde_EOImpl.java:46)
com.rsa.csf.clientservice.saml.SamlSsoRelyingPartyServiceProxyClient.processSamlSsoResponse(Ljava.lang.String;Ljava.lang.String;Z)Lcom.rsa.csf.techservice.saml.common.RelyingPartySsoResult;(Unknown Source)
com.rsa.csf.application.saml.SamlSsoRelyingPartyServlet.doGet(Ljavax.servlet.http.HttpServletRequest;Ljavax.servlet.http.HttpServletResponse;)V(Unknown Source)
javax.servlet.http.HttpServlet.service(Ljavax.servlet.http.HttpServletRequest;Ljavax.servlet.http.HttpServletResponse;)V(HttpServlet.java:740)
javax.servlet.http.HttpServlet.service(Ljavax.servlet.ServletRequest;Ljavax.servlet.ServletResponse;)V(HttpServlet.java:853)
weblogic.servlet.internal.ServletStubImpl$ServletInvocationAction.run()Ljava.lang.Object;(ServletStubImpl.java:971)
weblogic.servlet.internal.ServletStubImpl.invokeServlet(Ljavax.servlet.ServletRequest;Ljavax.servlet.ServletResponse;Lweblogic.servlet.internal.FilterChainImpl;)V(ServletStubImpl.java:402)
weblogic.servlet.internal.ServletStubImpl.invokeServlet(Ljavax.servlet.ServletRequest;Ljavax.servlet.ServletResponse;)V(ServletStubImpl.java:305)
weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run()Ljava.lang.Object;(WebAppServletContext.java:6350)
weblogic.security.acl.internal.AuthenticatedSubject.doAs(Lweblogic.security.subject.AbstractSubject;Ljava.security.PrivilegedAction;)Ljava.lang.Object;(AuthenticatedSubject.java:317)
weblogic.security.service.SecurityManager.runAs(Lweblogic.security.acl.internal.AuthenticatedSubject;Lweblogic.security.acl.internal.AuthenticatedSubject;Ljava.security.PrivilegedAction;)Ljava.lang.Object;(SecurityManager.java:118)
weblogic.servlet.internal.WebAppServletContext.invokeServlet(Lweblogic.servlet.internal.ServletRequestImpl;Lweblogic.servlet.internal.ServletResponseImpl;)V(WebAppServletContext.java:3635)
weblogic.servlet.internal.ServletRequestImpl.execute(Lweblogic.kernel.ExecuteThread;)V(ServletRequestImpl.java:2585)
weblogic.kernel.ExecuteThread.execute(Lweblogic.kernel.ExecuteRequest;)V(ExecuteThread.java:197)
weblogic.kernel.ExecuteThread.run()V(ExecuteThread.java:170)
java.lang.Thread.startThreadFromVM(Ljava.lang.Thread;)V(Unknown Source)
Event.log shows the following:

2005-07-07 16:09:22,128 CRITICAL - [SAML-ApSsoBapStarted: AAHAOWFStCxKh/pYAKdQqworYCLkRdPD2Qwk/F7YOaBE8stqAR8e1NDZ; appdrp; TargetURL='http://jwai-t.na.rsa.net/protectedpage.html', AssertionID='_3ceeb9cdaaf023babbbbfd4d3b4842a9fbc1cff9', LocalSubject='SAMLSubject nameQualifier=null format=#CTUID 'user2''] AssertingParty created artifact=AAHAOWFStCxKh/pYAKdQqworYCLkRdPD2Qwk/F7YOaBE8stqAR8e1NDZ, for RelyinParty=appdrp. Additional info: TargetURL='http://jwai-t.na.rsa.net/protectedpage.html', AssertionID='_3ceeb9cdaaf023babbbbfd4d3b4842a9fbc1cff9', LocalSubject='SAMLSubject nameQualifier=null format=#CTUID 'user2''
2005-07-07 16:09:32,222 CRITICAL - [SAML-RpSsoArtifactRequestCreated: _b206e28877741ac74768f93e37e466c587a31017; appdap; Artifact='AAHAOWFStCxKh/pYAKdQqworYCLkRdPD2Qwk/F7YOaBE8stqAR8e1NDZ', ] RelyingParty created Request Id=_b206e28877741ac74768f93e37e466c587a31017, sent to AssertingParty=appdap. Additonal Info: Artifact='AAHAOWFStCxKh/pYAKdQqworYCLkRdPD2Qwk/F7YOaBE8stqAR8e1NDZ',
2005-07-07 16:09:43,503 CRITICAL - [SAML-ApRequestReceived: _b206e28877741ac74768f93e37e466c587a31017; appdrp; RPLookupKey='MapHttpBasicAuthnId'] AssertingParty received Request Id=_b206e28877741ac74768f93e37e466c587a31017, from RelyingParty=appdrp. Additional Info: RPLookupKey='MapHttpBasicAuthnId'
2005-07-07 16:09:43,644 CRITICAL - [SAML-ApRequestReceived: _b206e28877741ac74768f93e37e466c587a31017; appdrp; RequestType='ArtifactRequest'] AssertingParty received Request Id=_b206e28877741ac74768f93e37e466c587a31017, from RelyingParty=appdrp. Additional Info: RequestType='ArtifactRequest'
2005-07-07 16:09:43,784 CRITICAL - [SAML-ApResponseCreated: _de24a35748317a7acf06c4e28612a4856fffe2f6; _b206e28877741ac74768f93e37e466c587a31017; appdrp; ResponseStatusXML='<samlp:Status><samlp:StatusCode Value="samlp:Success"></samlp:StatusCode></samlp:Status>', AssertionId='_3ceeb9cdaaf023babbbbfd4d3b4842a9fbc1cff9', ] AssertionParty created Response Id=_de24a35748317a7acf06c4e28612a4856fffe2f6, for Request Id=_b206e28877741ac74768f93e37e466c587a31017, for RelyingParty=appdrp. Additional Info: ResponseStatusXML='<samlp:Status><samlp:StatusCode Value="samlp:Success"></samlp:StatusCode></samlp:Status>', AssertionId='_3ceeb9cdaaf023babbbbfd4d3b4842a9fbc1cff9',
2005-07-07 16:09:44,800 CRITICAL - [SAML-RpSsoResponseExcep: SamlSsoRelyingPartyServiceBean.processSamlSsoResponse(); Cannot create ticket from ticketPlugin class: com.rsa.csf.techservice.saml.plugins.CtTicketPluginRP\; nested exception is: com.rsa.csf.techservice.saml.plugins.TicketPluginException: unable to create a ClearTrust token: sirrus.runtime.TokenException: User must be specified in the map] method SamlSsoRelyingPartyServiceBean.processSamlSsoResponse(): unexpected exception received by the RP when processing the SSO response message: Cannot create ticket from ticketPlugin class: com.rsa.csf.techservice.saml.plugins.CtTicketPluginRP; nested exception is: com.rsa.csf.techservice.saml.plugins.TicketPluginException: unable to create a ClearTrust token: sirrus.runtime.TokenException: User must be specified in the map
2005-07-07 16:09:44,800 CRITICAL - [SAML-CantCreateToken: CtTicketPlugin.createTicketFromWebSsoContext(); user22; User must be specified in the map] method CtTicketPlugin.createTicketFromWebSsoContext(): Unable to create a ClearTrust cookie for user user22 due to the following exception: User must be specified in the map.
Cause
When RSA Federated Identity Manager (FIM) receives a web SSO SAML assertion, it contains a subject name that FIM maps into an RSA ClearTrust username. That RSA ClearTrust username must already exist in the RSA ClearTrust associated with the RP system.
Resolution
To correct this issue, add the user defined in RSA ClearTrust for the AP to RSA ClearTrust for the RP. If you do not know which user it is, perform one of the following steps:

? Make sure the user lists are consistent in RSA ClearTrust

? Use the DEBUG option in FIM (on the RP side) to check the output for the offending username - search for sirrus.runtime.TokenException
Legacy Article IDa26954

Attachments

    Outcomes