In the FIM debug log the following exception appears:

2007-03-29 15:17:02,944 - exception:  com.rsa.csf.techservice.saml.plugins.SubjectMapperPluginException: local user name attribute value not found in X.509 name: CN=first.last,OU=webusers,DC=test,DC=org
 at com.rsa.csf.techservice.saml.plugins.CtX509SubjectMapperPluginRP.mapSamlToLocalSubject(Lcom/rsa/csf/techservice/saml/opensaml/SAMLSubject;Ljava/util/Map;)Lcom/rsa/csf/techservice/saml/opensaml/SAMLSubject;(Unknown Source)
 at com.rsa.csf.techservice.saml.common.SamlAssertionProcessor.mapSAMLSubject2LocalSubject(Lcom/rsa/csf/techservice/saml/opensaml/SAMLSubject;Lcom/rsa/csf/domain/objects/RPAssertingParty;)Lcom/rsa/csf/techservice/saml/opensaml/SAMLSubject;(Unknown Source)

A misconfiguration of the subject mapper plugin attribute is the likely cause for this exception.

In order to correct this or similar issues:

Identify the affected plugin. As you can see, the exception in raised within the class highlighted in red in the above section.

That class is used (by default) by the plugin "RSA_ClearTrust_X.509_Subject_Plug-in_RP", as you can see from "Class Name" field in FIM's management GUI (Configure System -> Plugins -> Manage Existing, look at the "Class Name" field for all plugins until you have a match).

Verify that the "ctUidX509RdnAttribute" is set to the correct value. By default this attribute is set to "uid". For the subject line

CN=first.last,OU=webusers,DC=test,DC=org

to be parsed correct this would need to be changed to "CN", for example ctUidX509RdnAttribute=cn

See also

      FIM 2.5 / 2.6 - How to run debug while running FIM as a service     FIM 2.5 / 2.6 - How to run debug while running FIM as a service