RSA Identity Governance and Lifecycle SAML SSO failing with error "Did not find user with attribute"
4 years ago
Originally Published: 2017-08-15
Article Number
000045609
Applies To
RSA Product Set: RSA Identity Governance and Lifecycle
RSA Version/Condition: 7.0.0, 7.0.1, 7.0.2

 
Issue
RSA Identity Governance and Lifecycle SAML SSO fails.   The following messages are logged to /home/oracle/wildfly-8.2.0.Final/standalone/log/aveksaServer.log: 
08/15/2017 12:15:44.583 INFO (default task-97) [com.aveksa.server.authentication.AbstractSSOAuthenticatorImpl] SSOAuthenticator:getMasterEnterpriseUser(): Using column: userId
​08/15/2017 12:15:44.587 ERROR (default task-97) [com.aveksa.server.authentication.AbstractSSOAuthenticatorImpl] Did not find user with attribute: USER_ID = jdoe 
08/15/2017 12:15:44.849 INFO (default task-99) [com.aveksa.gui.pages.toolbar.login.SSOAuthenticatorHandler] SSOAuthenticator: isAuthenticator failed. Reason: Found 0 assertions when expected 1 
08/15/2017 12:15:44.849 ERROR (default task-99) [com.aveksa.gui.pages.toolbar.login.SSOAuthenticatorHandler] com.aveksa.server.authentication.AuthenticationProviderException: Found 0 assertions when expected 1

 
Cause
When a SAML request returns a value in an attribute from a successful SAML authentication, an attempt is made to map this value to an RSA Identity Governance and Lifecycle user using a corresponding RSA Identity Governance and Lifecycle user attribute.  This error is generated if RSA Identity Governance and Lifecycle fails to find a matching user.  If this occurs for all users, the most likely cause for this is a mis-configuration of the column used for resolution.  In this instance the error message indicates that the RSA Identity Governance and Lifecycle column name USER_ID does not contain a record matching the string jdoe.
Resolution
  1. Ensure that the attribute returned from the SAML authentication source is able to be mapped directly to an RSA Identity Governance and Lifecycle user attribute value that corresponds to the same user.  
  2. Enter the correct value in the SAML configuration page for the UnifiedUserColumn.  The column names can be chosen from any value user column in the table T_MASTER_ENTRERPRISE_USERS.  Possible columns that may be used include but are not limited to USER_ID, EMAIL_ADDRESS, or any custom user attributed mapped to a a local user attribute such as CUS_ATTR_USER_CAS_15 that has as its value the same value as the attribute returned in the SAML assertion. Note that the user must be a valid user.
 
User-added image

 
Notes
Note that potentially the following error message may occur for other reasons than the one described in this article as this error only indicates that the authentication failed.  Examine the other ERROR and INFO level messages associated with the error to determine the cause of the failure.
 
08/15/2017 12:15:44.849 ERROR (default task-99) [com.aveksa.gui.pages.toolbar.login.SSOAuthenticatorHandler] com.aveksa.server.authentication.AuthenticationProviderException: Found 0 assertions when expected 1

Related Articles

Trending Articles

Don't see what you're looking for?