This topic has 4 replies, 2 voices, and was last updated 6 years, 3 months ago by Mirko Teodorovic.

  • Author
  • #9743
     Mirko Teodorovic

    I’m having problem figuring out this mapping thing in OpenAM

    I have a configuration where Hosted IDP and remote SP are configured in COT.

    I’ve configured that
    NameID list both in SP and IDP contain urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
    NameID Value Map in IDP

    I would expect that when I try to access a resource authentication request goes to IDP
    and that IDP after authentication would ‘prepare’ request to be sent to ACS url that is configured in SP

    i dont get anything on ACS and Instead I get folllowing stack trace

    libSAML2:04/15/2016 03:53:47:756 AM EDT: Thread[http-bio-8080-exec-10,5,main]: TransactionId[67c891ab-f20a-492e-95b7-0299393e57b4-94]
    ERROR: UtilProxySAMLAuthenticatorLookup.retrieveAuthenticationFromCache: Unable to do sso or federation.
    com.sun.identity.saml2.common.SAML2Exception: Unable to generate NameID value.
    at com.sun.identity.saml2.plugins.DefaultIDPAccountMapper.getNameID(
    at com.sun.identity.saml2.profile.IDPSSOUtil.getSubject(
    at com.sun.identity.saml2.profile.IDPSSOUtil.getAssertion(
    at com.sun.identity.saml2.profile.IDPSSOUtil.getResponse(
    at com.sun.identity.saml2.profile.IDPSSOUtil.sendResponseToACS(

    However When I replace in IDP and SP settings
    urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified with

    and use urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress=mail in NameID value map
    I recieve a SAML response that contains NameID which is email address

    so how do I make that uid is being sent ???

     Scott Heger

    Usually this means that OpenAM can’t find the attribute (uid in this case) for the authenticated user that it is trying to generate the NameID for. Check that the user has a “uid” attribute, and also check to see if “uid” is included in the list of attributes in your OpenAM Data Store.

    • This reply was modified 6 years, 3 months ago by Scott Heger.
     Mirko Teodorovic

    This is from the IdRepo debug log
    it seems that uid is there
    AMIdentity.getAttributes all: attrs={uid=[testpass], sun-fm-saml2-nameid-info=[newidp|emeabgdws215|[email protected]|newidp|urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress|null|null|IDPRole|false], dn=[uid=testpass,ou=people,dc=openam,dc=forgerock,dc=org], cn=[Test Pass], sun-fm-saml2-nameid-infokey=[newidp|emeabgdws215|[email protected]], createTimestamp=[20160407213624Z], userPassword=xxx…, modifyTimestamp=[20160415075534Z], mail=[[email protected]], givenName=[test], inetUserStatus=[Active], objectClass=[iplanet-am-managed-person, inetuser, sunFederationManagerDataStore, sunFMSAML2NameIdentifier, inetorgperson, devicePrintProfilesContainer, sunIdentityServerLibertyPPService, iplanet-am-user-service, iPlanetPreferences, forgerock-am-dashboard-service, organizationalperson, top, kbaInfoContainer, oathDeviceProfilesContainer, sunAMAuthAccountLockout, person, iplanet-am-auth-configuration-service], sn=[pass]}

     Scott Heger

    That looks like what was logged when you were using emailAddress….even though it does show the uid value. Set your mapping back to uid and then see what your Federation debug log says about it after you try again. Set your debug level to Message for the most verbose output.

     Mirko Teodorovic

    I’ve solved problem with adding in attribute mapper for SP and IDP

Viewing 5 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?