Cannot access RSA SecurID Access protected SAML application due to missing NameID
3 years ago
Originally Published: 2016-08-17
Article Number
000043866
Applies To
RSA Product Set:  SecurID Access
Issue
User successfully authenticates to the application portal but when they click on an application, an error is displayed in the portal:
,
Application appears to be improperly configured. Contact your Administrator for assistance.
Cause
The application's SAML configuration uses a NameID of, for example, email address and the user does not have an email address configured in their Identity Source/Directory Server.
Resolution
To investigate this error an administrator can view the IDR's /var/log/symplified/symplified.log and /var/log/symplified/symplified-audit.log, which can be obtained as described in the article on how to Generate and Download an Identity Router Log Bundle.

The symplified.log will contain an error similar to:
 
2016-08-17/14:46:40.292/UTC [ajp-apr-8009-exec-6] ERROR com.symplified.adapter.authn.Saml2PingDirectPostAssertionHandler[114] - Non-null and non-empty SAMLSubject NameID required for Saml Authentication

The symplified-audit.log will contain an error similar to:

TYPE=SAML
USERNAME=jpicard
APPLICATION=Ingo Demo SP
SESSION_ID=a76f6f63-adf4-4fc2-b4d2-25207f5e8ec5
RESULT=NOT_AUTHENTICATED
PROTECTED_APP_USERNAME=jpicard
MESSAGE=Non-null and non-empty SAMLSubject NameID required for Saml Authentication
DATETIME=Wed Aug 17 14:46:50 UTC 2016
EVENTID=USER_PROTECTED_APP_AUTHN
----------START_USER_PROTECTED_APP_AUTHN----------
2016-08-17/14:46:50.662/UTC [AuditEntryProcessor] INFO  AUDIT[64] -
----------END_USER_PROTECTED_APP_AUTHN----------

Ensure that the Administration Console application configuration contains the desired NameID specification and that the Identity Source/Directory Server contains the specified NameID attribute.
 
User-added image

Related Articles

Trending Articles

Don't see what you're looking for?