Access Manager error 300101041 provisioning new users using SAML2

  • 3219302
  • 19-Nov-2007
  • 26-Apr-2012

Environment


Novell Access Management 3 Linux Novell Identity Server
Novell Access Management 3 Access Administration
Access Manager 3 Support Pack 1 applied

Situation

Administrator setup user provisioning between an Access Manger SAML 2 Identity (IDP) Provider and a remote SAML 2 Service (SP) provider. The provisioning rules defined auto created both the user and the user password. When a user authenticated to the IDP server and was redirected to the SP, the following error was displayed on the browser:

Unable to complete authentication request.
Cause/Code: 300101041-D5AF8CA5FBDB5813
If this condition persists, please contact your network adminstrator.

Looking at the output of the /var/opt/novell/tomcat4/logs/catalina.out file, the following additional information was given:

< amLogEntry> 2007-11-16T17:12:40Z WARNING NIDS Application: AM#300105004: AMDEVI
CEID#D5AF8CA5FBDB5813: AMAUTHID#D832E1D17F9D54E2DD51F8C58E94B53C: Provisioning
Error: [LDAP: error code 50 - NDS error: no access (-672)]

< amLogEntry> 2007-11-16T17:12:40Z WARNING NIDS Application: Event Id: 3014668, N
ote 1: D832E1D17F9D54E2DD51F8C58E94B53C, Note 2: AM#300101041: AMDEVICEID#D5AF8C
A5FBDB5813: : User account identification failed, Note 3: https://ncsles9.lab.no
vell.com:8443/nidp/saml2/metadata, Numeric 1: 0

< amLogEntry> 2007-11-16T17:12:40Z VERBOSE NIDS Application: Session has consumed
authentications: false

< amLogEntry> 2007-11-16T17:12:40Z INFO NIDS Application: AM#500105039: AMDEVICEI
D#D5AF8CA5FBDB5813: AMAUTHID#D832E1D17F9D54E2DD51F8C58E94B53C: Error on session
id D832E1D17F9D54E2DD51F8C58E94B53C, error 300101041-D5AF8CA5FBDB5813, Unable t
o complete authentication request. AM#300101041: AMDEVICEID#D5AF8CA5FBDB5813: :
User account identification failed


Resolution

Make sure that the LDAP administrator rights on the SP has enough rights to create the user in the pre-defined container. In the above case, an ldap proxy user was defined and this user did not have enough rights to create new users in the appropriate container. This ldap proxy user was granted write rights to the container and once applied, the provisioning of the user worked fine.