ForgeRock Community

SAML Auth Error Post Account Match

nick.hunt May 21, 2024, 1:50am 1

Hello

I have SAML auth working in my environment and now doing an SP initiated flow to handle redirects during login. I have a journey that initiates the flow to the IdP using a configuration script, and will take me back to the /enduser screen post auth, but am not seeing the other nodes in my journey (mainly debug type nodes) and seeing this error in the logs each time. Anyone see this before?

{"timestamp":"2024-05-21T01:45:28.751Z","eventName":"AM-ACCESS-OUTCOME","transactionId":"aa0126eb-881a-448d-ad6b-08833f99ab1d-1717","trackingIds":["aa0126eb-881a-448d-ad6b-08833f99ab1d-1718","93084F0B01343C12FA3B896720299C8E","s2ceb7f7411cca8d4e7fd413ca0b7c8634432b19eb"],"userId":"id=ce192e3a-2c63-42d0-8c93-3d505d90fbef,ou=user,ou=am-config","client":{"ip":"10.1.92.196","port":42178},"server":{"ip":"10.1.92.221","port":8081},"http":{"request":{"secure":true,"method":"POST","path":"https://<removed>/am/Consumer/metaAlias/sp","headers":{"accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7"],"content-type":["application/x-www-form-urlencoded"],"host":["<removed>"],"user-agent":["Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Edg/124.0.0.0"],"x-forwarded-for":["10.254.252.107"],"x-forwarded-host":["<removed>"],"x-forwarded-port":["443"],"x-forwarded-proto":["https"],"x-real-ip":["10.254.252.107"],"x-request-id":["3e51d31103c30ccbc04473cd03724f18"],"x-scheme":["https"]}}},"request":{"protocol":"SAML2","operation":"spAssertionConsumer"},"response":{"status":"SUCCESSFUL","statusCode":null,"elapsedTime":154,"elapsedTimeUnits":"MILLISECONDS"},"realm":"/","component":"SAML2","source":"audit","topic":"access","level":"INFO","_eventId":"aa0126eb-881a-448d-ad6b-08833f99ab1d-1727"} {"timestamp":"2024-05-21T01:45:28.922Z","level":"WARN","thread":"http-nio-8081-exec-10","mdc":{"transactionId":"aa0126eb-881a-448d-ad6b-08833f99ab1d-1728"},"logger":"com.sun.identity.sm.SMSEntry","message":"SMSEntry: Attempt by: id=ce192e3a-2c63-42d0-8c93-3d505d90fbef,ou=user,ou=am-config to read/modify entry: ou=default,ou=organizationconfig,ou=1.0,ou=sunidentityrepositoryservice,ou=services,ou=am-config has no permissions","context":"default","transactionId":"aa0126eb-881a-448d-ad6b-08833f99ab1d-1728"} {"timestamp":"2024-05-21T01:45:28.923Z","level":"WARN","thread":"http-nio-8081-exec-10","mdc":{"transactionId":"aa0126eb-881a-448d-ad6b-08833f99ab1d-1728"},"logger":"org.forgerock.openam.core.rest.server.ServerInfoResourceCommon","message":"Failed to get the distinct user id attributes for the configured identity stores in realm / ","context":"default","exception":"org.forgerock.openam.sm.exceptions.SmsAuthorizationException: Authorisation Exception. User does not have sufficient permission to perform operation: The user does not have permission to perform the operation.\n\tat com.sun.identity.sm.SMSEntry.getDelegationPermission(SMSEntry.java:1407)\n\tat com.sun.identity.sm.SMSEntry.read(SMSEntry.java:604)\n\tat com.sun.identity.sm.SMSEntry.read(SMSEntry.java:597)\n\tat com.sun.identity.sm.SMSEntry.<init>(SMSEntry.java:356)\n\tat com.sun.identity.sm.CachedSMSEntry.getInstance(CachedSMSEntry.java:385)\n\tat com.sun.identity.sm.ServiceConfigImpl.checkAndUpdatePermission(ServiceConfigImpl.java:712)\n\tat com.sun.identity.sm.ServiceConfigImpl.getFromCache(ServiceConfigImpl.java:703)\n\tat com.sun.identity.sm.ServiceConfigImpl.getInstance(ServiceConfigImpl.java:581)\n\tat com.sun.identity.sm.ServiceConfigImpl.getInstance(ServiceConfigImpl.java:562)\n\tat com.sun.identity.sm.ServiceConfigManagerImpl.getOrganizationConfig(ServiceConfigManagerImpl.java:221)\n\tat com.sun.identity.sm.ServiceConfigManager.getOrganizationConfig(ServiceConfigManager.java:266)\n\tat com.sun.identity.sm.ServiceConfigManager.getOrganizationConfig(ServiceConfigManager.java:283)\n\tat org.forgerock.openam.core.rest.server.ServerInfoResourceCommon.getUserIdAttributes(ServerInfoResourceCommon.java:230)\n\tat org.forgerock.openam.core.rest.server.ServerInfoResource.readInstance(ServerInfoResource.java:93)\n\tat org.forgerock.json.resource.InterfaceCollectionInstance.handleRead(InterfaceCollectionInstance.java:65)\n\tat org.forgerock.json.resource.FilterChain$Cursor.handleRead(FilterChain.java:104)\n\tat org.forgerock.json.resource.Resources$CollectionInstanceIdContextFilter.filterRead(Resources.java:556)\n\tat org.forgerock.json.resource.FilterChain$Cursor.handleRead(FilterChain.java:102)\n\tat org.forgerock.json.resource.FilterChain.handleRead(FilterChain.java:255)\n\tat org.forgerock.json.resource.Router.handleRead(Router.java:328)\n\tat org.forgerock.json.resource.Router.handleRead(Router.java:328)\n\tat org.forgerock.json.resource.FilterChain$Cursor.handleRead(FilterChain.java:104)\n\tat org.forgerock.openam.rest.fluent.AuditFilter.filterRead(AuditFilter.java:187)\n\tat org.forgerock.openam.rest.fluent.AuditFilterWrapper.filterRead(AuditFilterWrapper.java:82)\n\tat org.forgerock.json.resource.FilterChain$Cursor.handleRead(FilterChain.java:102)\n\tat org.forgerock.openam.rest.fluent.CrestLoggingFilter.filterRead(CrestLoggingFilter.java:158)\n\tat org.forgerock.json.resource.FilterChain$Cursor.handleRead(FilterChain.java:102)\n\tat org.forgerock.openam.rest.ContextFilter.filterRead(ContextFilter.java:79)\n\tat org.forgerock.json.resource.FilterChain$Cursor.handleRead(FilterChain.java:102)\n\tat org.forgerock.openam.rest.AuthenticationEnforcer.filterRead(AuthenticationEnforcer.java:174)\n\tat org.forgerock.json.resource.FilterChain$Cursor.handleRead(FilterChain.java:102)\n\tat org.forgerock.json.resource.FilterChain.handleRead(FilterChain.java:255)\n\tat org.forgerock.json.resource.Router.handleRead(Router.java:328)\n\tat org.forgerock.json.resource.FilterChain$Cursor.handleRead(FilterChain.java:104)\n\tat org.forgerock.openam.rest.ContextFilter.filterRead(ContextFilter.java:79)\n\tat org.forgerock.json.resource.FilterChain$Cursor.handleRead(FilterChain.java:102)\n\tat org.forgerock.json.resource.FilterChain.handleRead(FilterChain.java:255)\n\tat org.forgerock.json.resource.InternalConnection.readAsync(InternalConnection.java:81)\n\tat org.forgerock.json.resource.http.RequestRunner.visitReadRequest(RequestRunner.java:319)\n\tat org.forgerock.json.resource.http.RequestRunner.visitReadRequest(RequestRunner.java:92)\n\tat org.forgerock.json.resource.Requests$ReadRequestImpl.accept(Requests.java:600)\n\tat org.forgerock.json.resource.http.RequestRunner.handleResult(RequestRunner.java:159)\n\tat org.forgerock.util.promise.Promises$CompletedPromise.thenAsync(Promises.java:263)\n\tat org.forgerock.util.promise.Promises$CompletedPromise.thenAsync(Promises.java:252)\n\tat org.forgerock.json.resource.http.HttpAdapter.doRequest(HttpAdapter.java:796)\n\tat org.forgerock.json.resource.http.HttpAdapter.doRead(HttpAdapter.java:404)\n\tat org.forgerock.json.resource.http.HttpAdapter.handle(HttpAdapter.java:307)\n\tat org.forgerock.http.handler.Handlers$HandlerDescribableAsDescribableHandler.handle(Handlers.java:147)\n\tat org.forgerock.http.filter.OptionsFilter.filter(OptionsFilter.java:69)\n\tat org.forgerock.http.handler.Handlers$1.handle(Handlers.java:54)\n\tat org.forgerock.json.resource.http.HttpUtils.securityHeadersFilter(HttpUtils.java:832)\n\tat org.forgerock.http.handler.Handlers$1.handle(Handlers.java:54)\n\tat org.forgerock.http.routing.Router.handle(Router.java:100)\n\tat org.forgerock.openam.cors.CorsFilter.filter(CorsFilter.java:91)\n\tat org.forgerock.http.handler.Handlers$1.handle(Handlers.java:54)\n\tat org.forgerock.openam.rest.RealmContextFilter.filter(RealmContextFilter.java:87)\n\tat org.forgerock.http.handler.Handlers$1.handle(Handlers.java:54)\n\tat org.forgerock.http.routing.Router.handle(Router.java:100)\n\tat org.forgerock.http.routing.Router.handle(Router.java:100)\n\tat org.forgerock.openam.rest.CsrfFilter.filter(CsrfFilter.java:96)\n\tat org.forgerock.http.handler.Handlers$1.handle(Handlers.java:54)\n\tat org.forgerock.http.routing.ResourceApiVersionRoutingFilter.filter(ResourceApiVersionRoutingFilter.java:59)\n\tat org.forgerock.http.handler.Handlers$1.handle(Handlers.java:54)\n\tat org.forgerock.caf.authentication.framework.AuthenticationFramework.grantAccess(AuthenticationFramework.java:188)\n\tat org.forgerock.caf.authentication.framework.AuthenticationFramework.lambda$onValidateRequestSuccess$1(AuthenticationFramework.java:181)\n\tat org.forgerock.util.promise.Promises$CompletedPromise.thenAsync(Promises.java:263)\n\tat org.forgerock.util.promise.Promises$CompletedPromise.thenAsync(Promises.java:252)\n\tat org.forgerock.caf.authentication.framework.AuthenticationFramework.validateRequest(AuthenticationFramework.java:144)\n\tat org.forgerock.caf.authentication.framework.AuthenticationFramework.processMessage(AuthenticationFramework.java:134)\n\tat org.forgerock.caf.authentication.framework.AuthenticationFilter.filter(AuthenticationFilter.java:84)\n\tat org.forgerock.http.handler.Handlers$1.handle(Handlers.java:54)\n\tat org.forgerock.openam.http.GuiceHandler.handle(GuiceHandler.java:51)\n\tat org.forgerock.openam.http.HttpRoute$6.handle(HttpRoute.java:206)\n\tat org.forgerock.http.routing.Router.handle(Router.java:100)\n\tat org.forgerock.openam.dpro.session.ProofOfPossessionTokenFilter.filter(ProofOfPossessionTokenFilter.java:95)\n\tat org.forgerock.http.handler.Handlers$1.handle(Handlers.java:54)\n\tat org.forgerock.http.swagger.OpenApiRequestFilter.filter(OpenApiRequestFilter.java:63)\n\tat org.forgerock.http.handler.Handlers$1.handle(Handlers.java:54)\n\tat org.forgerock.openam.http.ApiDescriptorFilter.filter(ApiDescriptorFilter.java:66)\n\tat org.forgerock.http.handler.Handlers$1.handle(Handlers.java:54)\n\tat org.forgerock.openam.http.ResponseContext$ResponseContextFilter.filter(ResponseContext.java:53)\n\tat org.forgerock.http.handler.Handlers$1.handle(Handlers.java:54)\n\tat org.forgerock.openam.http.OpenAMHttpApplication.lambda$static$1(OpenAMHttpApplication.java:60)\n\tat org.forgerock.http.handler.Handlers$1.handle(Handlers.java:54)\n\tat org.forgerock.openam.http.OpenAMHttpApplication.lambda$cacheHeaderFilter$3(OpenAMHttpApplication.java:88)\n\tat org.forgerock.http.handler.Handlers$1.handle(Handlers.java:54)\n\tat org.forgerock.http.filter.TransactionIdInboundFilter.filter(TransactionIdInboundFilter.java:86)\n\tat org.forgerock.http.handler.Handlers$1.handle(Handlers.java:54)\n\tat org.forgerock.http.servlet.HttpFrameworkServlet.service(HttpFrameworkServlet.java:282)\n\tat javax.servlet.http.HttpServlet.service(HttpServlet.java:623)\n\tat org.forgerock.openam.http.OpenAMHttpFrameworkServlet.service(OpenAMHttpFrameworkServlet.java:47)\n\tat javax.servlet.http.HttpServlet.service(HttpServlet.java:623)\n\tat org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:209)\n\tat org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153)\n\tat org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:51)\n\tat org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178)\n\tat org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153)\n\tat org.forgerock.openam.validation.LargeCookieWarningFilter.doFilter(LargeCookieWarningFilter.java:48)\n\tat org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178)\n\tat org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153)\n\tat org.forgerock.openam.services.datastore.DataStoreConsistencyFilter.lambda$doFilter$0(DataStoreConsistencyFilter.java:46)\n\tat org.forgerock.openam.service.datastore.ReentrantVolatileActionConsistencyController.safeExecute(ReentrantVolatileActionConsistencyController.java:37)\n\tat org.forgerock.openam.services.datastore.DataStoreConsistencyFilter.doFilter(DataStoreConsistencyFilter.java:46)\n\tat org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178)\n\tat org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153)\n\tat org.forgerock.openam.rest.ProtocolVersionFilter.doFilter(ProtocolVersionFilter.java:66)\n\tat org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178)\n\tat org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153)\n\tat org.forgerock.openam.headers.SecureCookieFilter.doFilter(SecureCookieFilter.java:63)\n\tat org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178)\n\tat org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153)\n\tat org.forgerock.openam.headers.DisableSameSiteCookiesFilter.doFilter(DisableSameSiteCookiesFilter.java:106)\n\tat org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178)\n\tat org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153)\n\tat org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:59)\n\tat org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178)\n\tat org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153)\n\tat org.forgerock.openam.headers.SetHeadersFilter.doFilter(SetHeadersFilter.java:110)\n\tat org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178)\n\tat org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153)\n\tat org.forgerock.openam.headers.SetHeadersFilter.doFilter(SetHeadersFilter.java:110)\n\tat org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178)\n\tat org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153)\n\tat org.forgerock.openam.headers.SetHeadersFilter.doFilter(SetHeadersFilter.java:110)\n\tat org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178)\n\tat org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153)\n\tat com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:116)\n\tat org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178)\n\tat org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153)\n\tat org.forgerock.openam.validation.RequestEntitySizeVerificationFilter.doFilter(RequestEntitySizeVerificationFilter.java:66)\n\tat org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178)\n\tat org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153)\n\tat org.forgerock.openam.audit.context.AuditContextFilter.doFilter(AuditContextFilter.java:47)\n\tat org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178)\n\tat org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153)\n\tat org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:168)\n\tat org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:90)\n\tat org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:481)\n\tat org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:130)\n\tat org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93)\n\tat org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:670)\n\tat org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)\n\tat org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)\n\tat org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:390)\n\tat org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63)\n\tat org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:926)\n\tat org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1790)\n\tat org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52)\n\tat org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)\n\tat org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)\n\tat org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)\n\tat java.base/java.lang.Thread.run(Thread.java:833)\n","transactionId":"aa0126eb-881a-448d-ad6b-08833f99ab1d-1728"} {"timestamp":"2024-05-21T01:45:28.924Z","eventName":"AM-ACCESS-OUTCOME","transactionId":"aa0126eb-881a-448d-ad6b-08833f99ab1d-1728","trackingIds":["aa0126eb-881a-448d-ad6b-08833f99ab1d-1718"],"userId":"id=ce192e3a-2c63-42d0-8c93-3d505d90fbef,ou=user,ou=am-config","client":{"ip":"10.1.92.196","port":42178},"server":{"ip":"10.1.92.221","port":8081},"http":{"request":{"secure":true,"method":"GET","path":"https://<removed>/am/json/serverinfo/*","headers":{"accept":["application/json, text/plain, */*"],"accept-api-version":["protocol=2.1,resource=1.0"],"host":["<removed>"],"user-agent":["Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Edg/124.0.0.0"],"x-forwarded-for":["10.254.252.107"],"x-forwarded-host":["<removed>"],"x-forwarded-port":["443"],"x-forwarded-proto":["https"],"x-real-ip":["10.254.252.107"],"x-request-id":["2e13d9153be6e4eb6eb5276a8fd67fa4"],"x-scheme":["https"]}}},"request":{"protocol":"CREST","operation":"READ"},"response":{"status":"SUCCESSFUL","statusCode":"","elapsedTime":8,"elapsedTimeUnits":"MILLISECONDS","detail":{"revision":"1352294782"}},"realm":"/","component":"Server Info","source":"audit","topic":"access","level":"INFO","_eventId":"aa0126eb-881a-448d-ad6b-08833f99ab1d-1732"}

Thanks
Nick

stephane.orluc June 7, 2024, 11:58am 2

hi @nick.hunt,
Based on this message in the error log

and this one

I tend to say it’s coming from the configuration of your userstore.
Could you share more information about your user store and your architecture please ?
Regards,
Steph.

nick.hunt June 7, 2024, 1:21pm 3

@stephane.orluc yeah, i went down that track also to try to figure out if was a user issue, but I can still login using the user / idp initiated sign-on so not sure what it is trying to look up in the journey / sp initiated flow that i am using.

In terms of setup / user store, this is a forgeops install so userstore is DS / OOTB setup with IDM configured in the environment also.

Thanks
Nick

stephane.orluc June 7, 2024, 2:23pm 4

@nick.hunt since you’re using standard deployment, I don’t see what could cause the problem.
I think you should open a ticket.

nick.hunt June 7, 2024, 2:57pm 5

Yeah, I have a ticket open on this also but was posting to see if anyone else had this issue.

Thanks
Nick

1 Like