Environment
Novell Access Management 3 Linux Novell Identity Server
Novell Access Management 3 Access Administration
Access Manager 3 Support Pack 1 applied
Situation
Administrator setup user provisioning between an Access Manger SAML
2 Identity (IDP) Provider and a remote SAML 2 Service (SP)
provider. The provisioning rules defined auto created both the user
and the user password. When a user authenticated to the IDP server
and was redirected to the SP, the following error was displayed on
the browser:
Unable to complete authentication request.
Cause/Code: 300101041-D5AF8CA5FBDB5813
If this condition persists, please contact
your network adminstrator.
Looking at the output of the /var/opt/novell/tomcat4/logs/catalina.out file, the following additional information was given:
< amLogEntry> 2007-11-16T17:12:40Z WARNING NIDS Application: AM#300105004: AMDEVI
CEID#D5AF8CA5FBDB5813: AMAUTHID#D832E1D17F9D54E2DD51F8C58E94B53C: Provisioning
Error: [LDAP: error code 50 - NDS error: no access (-672)]
< amLogEntry> 2007-11-16T17:12:40Z WARNING NIDS Application: Event Id: 3014668, N
ote 1: D832E1D17F9D54E2DD51F8C58E94B53C, Note 2: AM#300101041: AMDEVICEID#D5AF8C
A5FBDB5813: : User account identification failed, Note 3: https://ncsles9.lab.no
vell.com:8443/nidp/saml2/metadata, Numeric 1: 0
< amLogEntry> 2007-11-16T17:12:40Z VERBOSE NIDS Application: Session has consumed
authentications: false
< amLogEntry> 2007-11-16T17:12:40Z INFO NIDS Application: AM#500105039: AMDEVICEI
D#D5AF8CA5FBDB5813: AMAUTHID#D832E1D17F9D54E2DD51F8C58E94B53C: Error on session
id D832E1D17F9D54E2DD51F8C58E94B53C, error 300101041-D5AF8CA5FBDB5813, Unable t
o complete authentication request. AM#300101041: AMDEVICEID#D5AF8CA5FBDB5813: :
User account identification failed
Looking at the output of the /var/opt/novell/tomcat4/logs/catalina.out file, the following additional information was given:
< amLogEntry> 2007-11-16T17:12:40Z WARNING NIDS Application: AM#300105004: AMDEVI
CEID#D5AF8CA5FBDB5813: AMAUTHID#D832E1D17F9D54E2DD51F8C58E94B53C: Provisioning
Error: [LDAP: error code 50 - NDS error: no access (-672)]
< amLogEntry> 2007-11-16T17:12:40Z WARNING NIDS Application: Event Id: 3014668, N
ote 1: D832E1D17F9D54E2DD51F8C58E94B53C, Note 2: AM#300101041: AMDEVICEID#D5AF8C
A5FBDB5813: : User account identification failed, Note 3: https://ncsles9.lab.no
vell.com:8443/nidp/saml2/metadata, Numeric 1: 0
< amLogEntry> 2007-11-16T17:12:40Z VERBOSE NIDS Application: Session has consumed
authentications: false
< amLogEntry> 2007-11-16T17:12:40Z INFO NIDS Application: AM#500105039: AMDEVICEI
D#D5AF8CA5FBDB5813: AMAUTHID#D832E1D17F9D54E2DD51F8C58E94B53C: Error on session
id D832E1D17F9D54E2DD51F8C58E94B53C, error 300101041-D5AF8CA5FBDB5813, Unable t
o complete authentication request. AM#300101041: AMDEVICEID#D5AF8CA5FBDB5813: :
User account identification failed
Resolution
Make sure that the LDAP administrator rights on the SP has enough
rights to create the user in the pre-defined container. In the
above case, an ldap proxy user was defined and this user did not
have enough rights to create new users in the appropriate
container. This ldap proxy user was granted write rights to the
container and once applied, the provisioning of the user worked
fine.