000035472 - RSA Identity Governance and Lifecycle SAML SSO failing with error 'Did not find user with attribute'

Document created by RSA Customer Support Employee on Sep 15, 2017Last modified by RSA Customer Support Employee on Sep 15, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000035472
Applies ToRSA Product Set: RSA Identity Governance and Lifecycle
RSA Version/Condition: 7.0.0, 7.0.1, 7.0.2
 
IssueRSA Identity Governance and Lifecycle SAML SSO fails.   The following messages are logged to /home/oracle/wildfly-8.2.0.Final/standalone/log/aveksaServer.log:

08/15/2017 12:15:44.583 INFO (default task-97) [com.aveksa.server.authentication.AbstractSSOAuthenticatorImpl] SSOAuthenticator:getMasterEnterpriseUser(): Using column: userId
08/15/2017 12:15:44.587 ERROR (default task-97) [com.aveksa.server.authentication.AbstractSSOAuthenticatorImpl] Did not find user with attribute: USER_ID = jdoe
08/15/2017 12:15:44.849 INFO (default task-99) [com.aveksa.gui.pages.toolbar.login.SSOAuthenticatorHandler] SSOAuthenticator: isAuthenticator failed. Reason: Found 0 assertions when expected 1
08/15/2017 12:15:44.849 ERROR (default task-99) [com.aveksa.gui.pages.toolbar.login.SSOAuthenticatorHandler] com.aveksa.server.authentication.AuthenticationProviderException: Found 0 assertions when expected 1


 
CauseWhen a SAML request returns a value in an attribute from a successful SAML authentication, an attempt is made to map this value to an RSA Identity Governance and Lifecycle user using a corresponding RSA Identity Governance and Lifecycle user attribute.  This error is generated if RSA Identity Governance and Lifecycle fails to find a matching user.  If this occurs for all users, the most likely cause for this is a mis-configuration of the column used for resolution.  In this instance the error message indicates that the RSA Identity Governance and Lifecycle column name USER_ID does not contain a record matching the string jdoe.
Resolution
  1. Ensure that the attribute returned from the SAML authentication source is able to be mapped directly to an RSA Identity Governance and Lifecycle user attribute value that corresponds to the same user.  
  2. Enter the correct value in the SAML configuration page for the UnifiedUserColumn.  The column names can be chosen from any value user column in the table T_MASTER_ENTRERPRISE_USERS.  Possible columns that may be used include but are not limited to USER_ID, EMAIL_ADDRESS, or any custom user attributed mapped to a a local user attribute such as CUS_ATTR_USER_CAS_15 that has as its value the same value as the attribute returned in the SAML assertion. Note that the user must be a valid user.
 
User-added image

 
NotesNote that potentially the following error message may occur for other reasons than the one described in this article as this error only indicates that the authentication failed.  Examine the other ERROR and INFO level messages associated with the error to determine the cause of the failure.
 
08/15/2017 12:15:44.849 ERROR (default task-99) [com.aveksa.gui.pages.toolbar.login.SSOAuthenticatorHandler] com.aveksa.server.authentication.AuthenticationProviderException: Found 0 assertions when expected 1

Attachments

    Outcomes