Error stack trace:
com.rsa.fim.profile.sso.SSOProfileException: The SAML authentication context is not mapped to a local authentication context. Please inspect your local Authentication Policy.
at com.rsa.fim.profile.sso.SSOProfileBean.processResponse(SSOProfileBean.java:2487)
at com.rsa.fim.profile.sso.SSOProfile_5wyj3w_EOImpl.processResponse(SSOProfile_5wyj3w_EOImpl.java:100)
at com.rsa.fim.servlet.sso.AssertionConsumerService.doGet(AssertionConsumerService.java:64)
Where an IdP sends an SSO message to an SP then the authentication methods being used by the respective parties need to match in some way. A mapping must exist which allows for some level of translation to go from the generic formal SAML method into the localized mechanism implemented by the end system.
The problem can be seen if you follow these steps:
- Set up a sample system following chapter 9 of the RSA Federated Identity Manager 3.0 Installation and Configuration Guide
- Import metadata for an IdP from a non RSA FIM system which uses urn:oasis:names:tc:SAML:2.0:ac:classes:Password as its authentication context
- Run a test between the systems
As part of a SAML Response message the IdP will send an authentication context as follows:
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
</saml:AuthnContext>
The problem is that no appropriate mapping has been configured in the FIM 3.0 configuration (by default FIM 3.0 is configured to map only urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport)
Modify the FIM configuration to map the supplied SAML authentication mechanism as follows
Connect to the FIM 3.0 configuration (for example http://localhost:7001/fimconfig/
Select Policies -> Authentication -> Manage existing to display the list of available authentication policies
Click on RSA Access Manager Authentication Policy and select Edit
Click on the Map Authentication Methods tab
Scroll down to the SAML to Local Authentication Methods section
From the SAML Method pulldown menu select Password and on the Local Method pulldown menu select BASIC then click Add
This should add an entry to the listbox of urn:oasis:names:tc:SAML:2.0:ac:classes:Password maps to BASIC
Notice that the SAML authentication mechanism we have selected matches the value shown in the example above. Now the system should run correctly.
If the connection is also working in the other direction where we need to map a local method to a SAML method then this is also done on this form but is managed in the section higher up the page.
Related Articles
Authentication context not added / Context validation failed errors authenticating with RSA Authentication MFA Agent for A… Number of Views Unable to login to RSA Authentication Manager Security Console as super admin Number of Views How to configure RSA Authentication Manager to send log messages to a local file for an audit trail Number of Views The License/serial number being installed does not match the license/serial number stored on the server when installing an… Number of Views How to prevent a local administrator from setting a reserve password in the RSA Authentication Agent for Windows Control C… Number of Views
Trending Articles
RSA Authentication Manager 8.9 Release Notes (January 2026) Connection fails to Cloud Authentication Service when connecting through a proxy server from RSA Authentication Manager to… Downloading RSA Authentication Manager license files or RSA Software token seed records Troubleshooting RSA MFA Agent for Microsoft Windows RSA Release Notes for RSA Authentication Manager 8.8
