In FIM's debug log the following exception appears:

2007-03-29 15:17:02,944 - exception:  com.rsa.csf.techservice.saml.plugins.SubjectMapperPluginException: local user name attribute value not found in X.509 name: CN=first.last,OU=webusers,DC=test,DC=org
 at com.rsa.csf.techservice.saml.plugins.CtX509SubjectMapperPluginRP.mapSamlToLocalSubject(Lcom/rsa/csf/techservice/saml/opensaml/SAMLSubject;Ljava/util/Map;)Lcom/rsa/csf/techservice/saml/opensaml/SAMLSubject;(Unknown Source)
 at com.rsa.csf.techservice.saml.common.SamlAssertionProcessor.mapSAMLSubject2LocalSubject(Lcom/rsa/csf/techservice/saml/opensaml/SAMLSubject;Lcom/rsa/csf/domain/objects/RPAssertingParty;)Lcom/rsa/csf/techservice/saml/opensaml/SAMLSubject;(Unknown Source)

A misconfiguration of the "" plugin attribute is the likely cause for this exception.

In order to correct this issue:

Identify the affected plugin. As you can see, the exception in raised within the class highlighted in red in the above section.

That class is used (by default) by the plugin "RSA_ClearTrust_X.509_Subject_Plug-in_RP", as you can see from "Class Name" field in FIM's management GUI (Configure System -> Plugins -> Manage Existing, look at the "Class Name" field for all plugins until you have a match).

Verify that in the Plug-In configuration screen the value of the "ctUidX509RdnAttribute" attribute is set correctly. By default this attribute is set to "uid". For the subject line

CN=first.last,OU=webusers,DC=test,DC=org

to be correctly parsed this would need to be changed to "CN".