FIM error 'The name ID plug-in configuration for this format could not be retrieved'
2 years ago
Originally Published: 2011-09-12
Article Number
000046483
Applies To
RSA Federated Identity Mapping FIM 4.1
Issue
FIM error "The name ID plug-in configuration for this format could not be retrieved"

The following exception is generated by FIM:
2011-08-30 11:48:15,965, (SAML11AssertionConsumerServiceServlet.java:81), fim.rsa.com, , , , A ProfileException was encountered, com.rsa.fim.profile.sso.SSOProfileException: The name ID plug-in configuration for this format could not be retrieved
        at com.rsa.fim.profile.sso.SSOHelper.nullCheck(SSOHelper.java:394)

Cause
This error indicates that there is currently no nameID plugin configured to handle the unspecified nameID type.  By default most of the default FIM 4.1 plugins are not configured to accept this nameID format. Since the data in the unspecified format could be of any type it may not be obvious which plugin is appropriate.  The customer may have to write their own plugin to handle assertions with this nameID format but often it is possible to use one of the existing plugins.  
Resolution
If the value passed as the nameID is parsable by one of the existing plugins then all that is required is to modify the pluign.xml to accept the unspecified nameID format.  For example for nameID in the format of a UID you can use the GenericNameIdPlugin plugin.  Edit the plugin.xml file for the GenericNameIdPlugin plugin and add a line for the SAML 1.1 unspecified format.  (Note that some SAML documentation incorrectly implies that there is a SAML 2.0 unspecified nameID format.  This is incorrect.  The unspecifed nameID is a SAML 1.1 format, although SAML 2.0 does support all of the SAML 1.1 formats.)
<StaticField Key="SupportedNameIDs"> 
<Value>urn:oasis:names:tc:SAML:1.0:assertion#X509SubjectName</Value> 
<Value>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</Value> 
<!-- <Value>urn:oasis:names:tc:SAML:1.0:assertion#emailAddress</Value> 
<Value>urn:oasis:names:tc:SAML:1.0:assertion#WindowsDomainQualifiedName</Value>    --> 
</StaticField> 
Once the plugin.xml has been modifed you will need to restart FIM to support the new nameID type.  
Create a new plugin definition in the FIM console.  Under the "Plugin configuration" tab enter "unspecified" as the "Local name ID Format".
Now when you go to the association page under"Federated Identity Options" in the "Name Identifier Types" section you will see a new entry for the "unspecified Plug-in".  Select this as the plugin to use for your partner association and the nameID should now be correctly parsed.

Workaround
The assertion is using a SAML 1.1 unspecified nameID format.   The value is actaully a UID with a string value.
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified 

Related Articles

Trending Articles

Don't see what you're looking for?