SAML Working OpenDJ but Not working with Active Directory

Tagged: , , ,

This topic has 1 reply, 2 voices, and was last updated 2 years, 1 month ago by Scott Heger.

  • Author
  • #28146

    OpenAM SAML working with OpenDJ but not working Active Directory(AD).

    Working details as follows.
    IDP – OpenAM
    Identity Store – OpenDJ

    Not Working details as follows.
    IDP – OpenAM
    Identity Store – Active Directory(AD)

    Authentication happening at IDP side(OpenAM) successfully after that getting 500 error in the browser and getting the below error in the Federation log.

    `libSAML2:07/28/2020 09:59:13:874 AM EDT: Thread[https-jsse-nio-8443-exec-2,5,main]: TransactionId[9fdfc9d0-5add-4f2e-bbbe-da67a4d76a7b-762]
    ERROR: UtilProxySAMLAuthenticatorLookup.retrieveAuthenticationFromCache: Unable to do sso or federation.

    com.sun.identity.saml2.common.SAML2Exception: Plug-in org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo encountered a ldap exception. ldap errorcode=16
    at com.sun.identity.saml2.common.AccountUtils.setAccountFederation(
    at com.sun.identity.saml2.profile.IDPSSOUtil.getSubject(
    at com.sun.identity.saml2.profile.IDPSSOUtil.getAssertion(
    at com.sun.identity.saml2.profile.IDPSSOUtil.getResponse(
    at com.sun.identity.saml2.profile.IDPSSOUtil.sendResponseToACS(
    at org.forgerock.openam.saml2.UtilProxySAMLAuthenticatorLookup.retrieveAuthenticationFromCache(
    at com.sun.identity.saml2.profile.IDPSSOFederate.process(
    at com.sun.identity.saml2.profile.IDPSSOFederate.doSSOFederate(
    at com.sun.identity.saml2.profile.IDPSSOFederate.doSSOFederate(
    at org.apache.jsp.saml2.jsp.idpSSOFederate_jsp._jspService(
    at org.apache.jasper.runtime.HttpJspBase.service(

     Scott Heger

    The key to resolving this is in this line:

    org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo encountered a ldap exception. ldap errorcode=16

    LDAP response code 16 is a LDAP_NO_SUCH_ATTRIBUTE response. That would indicate that AM is configured to use an attribute not known to AD. Check your Identity Store settings to ensure that all necessary attributes are defined in the User Configuration tab and ensure all attribute mappings in your SAML configuration map to valid attributes in AD. You can also check the user you are connecting to AD with and ensure it has visibility to the attributes you are using in SAML.

Viewing 2 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?