SAML Auth Error Post Account Match

Hello

I have SAML auth working in my environment and now doing an SP initiated flow to handle redirects during login. I have a journey that initiates the flow to the IdP using a configuration script, and will take me back to the /enduser screen post auth, but am not seeing the other nodes in my journey (mainly debug type nodes) and seeing this error in the logs each time. Anyone see this before?

{"timestamp":"2024-05-21T01:45:28.751Z","eventName":"AM-ACCESS-OUTCOME","transactionId":"aa0126eb-881a-448d-ad6b-08833f99ab1d-1717","trackingIds":["aa0126eb-881a-448d-ad6b-08833f99ab1d-1718","93084F0B01343C12FA3B896720299C8E","s2ceb7f7411cca8d4e7fd413ca0b7c8634432b19eb"],"userId":"id=ce192e3a-2c63-42d0-8c93-3d505d90fbef,ou=user,ou=am-config","client":{"ip":"10.1.92.196","port":42178},"server":{"ip":"10.1.92.221","port":8081},"http":{"request":{"secure":true,"method":"POST","path":"https://<removed>/am/Consumer/metaAlias/sp","headers":{"accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7"],"content-type":["application/x-www-form-urlencoded"],"host":["<removed>"],"user-agent":["Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Edg/124.0.0.0"],"x-forwarded-for":["10.254.252.107"],"x-forwarded-host":["<removed>"],"x-forwarded-port":["443"],"x-forwarded-proto":["https"],"x-real-ip":["10.254.252.107"],"x-request-id":["3e51d31103c30ccbc04473cd03724f18"],"x-scheme":["https"]}}},"request":{"protocol":"SAML2","operation":"spAssertionConsumer"},"response":{"status":"SUCCESSFUL","statusCode":null,"elapsedTime":154,"elapsedTimeUnits":"MILLISECONDS"},"realm":"/","component":"SAML2","source":"audit","topic":"access","level":"INFO","_eventId":"aa0126eb-881a-448d-ad6b-08833f99ab1d-1727"} {"timestamp":"2024-05-21T01:45:28.922Z","level":"WARN","thread":"http-nio-8081-exec-10","mdc":{"transactionId":"aa0126eb-881a-448d-ad6b-08833f99ab1d-1728"},"logger":"com.sun.identity.sm.SMSEntry","message":"SMSEntry: Attempt by: id=ce192e3a-2c63-42d0-8c93-3d505d90fbef,ou=user,ou=am-config to read/modify entry: ou=default,ou=organizationconfig,ou=1.0,ou=sunidentityrepositoryservice,ou=services,ou=am-config has no permissions","context":"default","transactionId":"aa0126eb-881a-448d-ad6b-08833f99ab1d-1728"} {"timestamp":"2024-05-21T01:45:28.923Z","level":"WARN","thread":"http-nio-8081-exec-10","mdc":{"transactionId":"aa0126eb-881a-448d-ad6b-08833f99ab1d-1728"},"logger":"org.forgerock.openam.core.rest.server.ServerInfoResourceCommon","message":"Failed to get the distinct user id attributes for the configured identity stores in realm / ","context":"default","exception":"org.forgerock.openam.sm.exceptions.SmsAuthorizationException: Authorisation Exception. User does not have sufficient permission to perform operation: The user does not have permission to perform the operation.\n\tat com.sun.identity.sm.SMSEntry.getDelegationPermission(SMSEntry.java:1407)\n\tat com.sun.identity.sm.SMSEntry.read(SMSEntry.java:604)\n\tat com.sun.identity.sm.SMSEntry.read(SMSEntry.java:597)\n\tat com.sun.identity.sm.SMSEntry.<init>(SMSEntry.java:356)\n\tat com.sun.identity.sm.CachedSMSEntry.getInstance(CachedSMSEntry.java:385)\n\tat com.sun.identity.sm.ServiceConfigImpl.checkAndUpdatePermission(ServiceConfigImpl.java:712)\n\tat com.sun.identity.sm.ServiceConfigImpl.getFromCache(ServiceConfigImpl.java:703)\n\tat com.sun.identity.sm.ServiceConfigImpl.getInstance(ServiceConfigImpl.java:581)\n\tat com.sun.identity.sm.ServiceConfigImpl.getInstance(ServiceConfigImpl.java:562)\n\tat com.sun.identity.sm.ServiceConfigManagerImpl.getOrganizationConfig(ServiceConfigManagerImpl.java:221)\n\tat com.sun.identity.sm.ServiceConfigManager.getOrganizationConfig(ServiceConfigManager.java:266)\n\tat com.sun.identity.sm.ServiceConfigManager.getOrganizationConfig(ServiceConfigManager.java:283)\n\tat org.forgerock.openam.core.rest.server.ServerInfoResourceCommon.getUserIdAttributes(ServerInfoResourceCommon.java:230)\n\tat org.forgerock.openam.core.rest.server.ServerInfoResource.readInstance(ServerInfoResource.java:93)\n\tat org.forgerock.json.resource.InterfaceCollectionInstance.handleRead(InterfaceCollectionInstance.java:65)\n\tat org.forgerock.json.resource.FilterChain$Cursor.handleRead(FilterChain.java:104)\n\tat org.forgerock.json.resource.Resources$CollectionInstanceIdContextFilter.filterRead(Resources.java:556)\n\tat org.forgerock.json.resource.FilterChain$Cursor.handleRead(FilterChain.java:102)\n\tat org.forgerock.json.resource.FilterChain.handleRead(FilterChain.java:255)\n\tat org.forgerock.json.resource.Router.handleRead(Router.java:328)\n\tat org.forgerock.json.resource.Router.handleRead(Router.java:328)\n\tat org.forgerock.json.resource.FilterChain$Cursor.handleRead(FilterChain.java:104)\n\tat org.forgerock.openam.rest.fluent.AuditFilter.filterRead(AuditFilter.java:187)\n\tat org.forgerock.openam.rest.fluent.AuditFilterWrapper.filterRead(AuditFilterWrapper.java:82)\n\tat org.forgerock.json.resource.FilterChain$Cursor.handleRead(FilterChain.java:102)\n\tat org.forgerock.openam.rest.fluent.CrestLoggingFilter.filterRead(CrestLoggingFilter.java:158)\n\tat org.forgerock.json.resource.FilterChain$Cursor.handleRead(FilterChain.java:102)\n\tat org.forgerock.openam.rest.ContextFilter.filterRead(ContextFilter.java:79)\n\tat org.forgerock.json.resource.FilterChain$Cursor.handleRead(FilterChain.java:102)\n\tat org.forgerock.openam.rest.AuthenticationEnforcer.filterRead(AuthenticationEnforcer.java:174)\n\tat org.forgerock.json.resource.FilterChain$Cursor.handleRead(FilterChain.java:102)\n\tat org.forgerock.json.resource.FilterChain.handleRead(FilterChain.java:255)\n\tat org.forgerock.json.resource.Router.handleRead(Router.java:328)\n\tat org.forgerock.json.resource.FilterChain$Cursor.handleRead(FilterChain.java:104)\n\tat org.forgerock.openam.rest.ContextFilter.filterRead(ContextFilter.java:79)\n\tat org.forgerock.json.resource.FilterChain$Cursor.handleRead(FilterChain.java:102)\n\tat org.forgerock.json.resource.FilterChain.handleRead(FilterChain.java:255)\n\tat org.forgerock.json.resource.InternalConnection.readAsync(InternalConnection.java:81)\n\tat org.forgerock.json.resource.http.RequestRunner.visitReadRequest(RequestRunner.java:319)\n\tat org.forgerock.json.resource.http.RequestRunner.visitReadRequest(RequestRunner.java:92)\n\tat org.forgerock.json.resource.Requests$ReadRequestImpl.accept(Requests.java:600)\n\tat org.forgerock.json.resource.http.RequestRunner.handleResult(RequestRunner.java:159)\n\tat org.forgerock.util.promise.Promises$CompletedPromise.thenAsync(Promises.java:263)\n\tat org.forgerock.util.promise.Promises$CompletedPromise.thenAsync(Promises.java:252)\n\tat org.forgerock.json.resource.http.HttpAdapter.doRequest(HttpAdapter.java:796)\n\tat org.forgerock.json.resource.http.HttpAdapter.doRead(HttpAdapter.java:404)\n\tat org.forgerock.json.resource.http.HttpAdapter.handle(HttpAdapter.java:307)\n\tat org.forgerock.http.handler.Handlers$HandlerDescribableAsDescribableHandler.handle(Handlers.java:147)\n\tat org.forgerock.http.filter.OptionsFilter.filter(OptionsFilter.java:69)\n\tat org.forgerock.http.handler.Handlers$1.handle(Handlers.java:54)\n\tat org.forgerock.json.resource.http.HttpUtils.securityHeadersFilter(HttpUtils.java:832)\n\tat org.forgerock.http.handler.Handlers$1.handle(Handlers.java:54)\n\tat org.forgerock.http.routing.Router.handle(Router.java:100)\n\tat org.forgerock.openam.cors.CorsFilter.filter(CorsFilter.java:91)\n\tat org.forgerock.http.handler.Handlers$1.handle(Handlers.java:54)\n\tat org.forgerock.openam.rest.RealmContextFilter.filter(RealmContextFilter.java:87)\n\tat org.forgerock.http.handler.Handlers$1.handle(Handlers.java:54)\n\tat org.forgerock.http.routing.Router.handle(Router.java:100)\n\tat org.forgerock.http.routing.Router.handle(Router.java:100)\n\tat org.forgerock.openam.rest.CsrfFilter.filter(CsrfFilter.java:96)\n\tat org.forgerock.http.handler.Handlers$1.handle(Handlers.java:54)\n\tat org.forgerock.http.routing.ResourceApiVersionRoutingFilter.filter(ResourceApiVersionRoutingFilter.java:59)\n\tat org.forgerock.http.handler.Handlers$1.handle(Handlers.java:54)\n\tat org.forgerock.caf.authentication.framework.AuthenticationFramework.grantAccess(AuthenticationFramework.java:188)\n\tat org.forgerock.caf.authentication.framework.AuthenticationFramework.lambda$onValidateRequestSuccess$1(AuthenticationFramework.java:181)\n\tat org.forgerock.util.promise.Promises$CompletedPromise.thenAsync(Promises.java:263)\n\tat org.forgerock.util.promise.Promises$CompletedPromise.thenAsync(Promises.java:252)\n\tat org.forgerock.caf.authentication.framework.AuthenticationFramework.validateRequest(AuthenticationFramework.java:144)\n\tat org.forgerock.caf.authentication.framework.AuthenticationFramework.processMessage(AuthenticationFramework.java:134)\n\tat org.forgerock.caf.authentication.framework.AuthenticationFilter.filter(AuthenticationFilter.java:84)\n\tat org.forgerock.http.handler.Handlers$1.handle(Handlers.java:54)\n\tat org.forgerock.openam.http.GuiceHandler.handle(GuiceHandler.java:51)\n\tat org.forgerock.openam.http.HttpRoute$6.handle(HttpRoute.java:206)\n\tat org.forgerock.http.routing.Router.handle(Router.java:100)\n\tat org.forgerock.openam.dpro.session.ProofOfPossessionTokenFilter.filter(ProofOfPossessionTokenFilter.java:95)\n\tat org.forgerock.http.handler.Handlers$1.handle(Handlers.java:54)\n\tat org.forgerock.http.swagger.OpenApiRequestFilter.filter(OpenApiRequestFilter.java:63)\n\tat org.forgerock.http.handler.Handlers$1.handle(Handlers.java:54)\n\tat org.forgerock.openam.http.ApiDescriptorFilter.filter(ApiDescriptorFilter.java:66)\n\tat org.forgerock.http.handler.Handlers$1.handle(Handlers.java:54)\n\tat org.forgerock.openam.http.ResponseContext$ResponseContextFilter.filter(ResponseContext.java:53)\n\tat org.forgerock.http.handler.Handlers$1.handle(Handlers.java:54)\n\tat org.forgerock.openam.http.OpenAMHttpApplication.lambda$static$1(OpenAMHttpApplication.java:60)\n\tat org.forgerock.http.handler.Handlers$1.handle(Handlers.java:54)\n\tat org.forgerock.openam.http.OpenAMHttpApplication.lambda$cacheHeaderFilter$3(OpenAMHttpApplication.java:88)\n\tat org.forgerock.http.handler.Handlers$1.handle(Handlers.java:54)\n\tat org.forgerock.http.filter.TransactionIdInboundFilter.filter(TransactionIdInboundFilter.java:86)\n\tat org.forgerock.http.handler.Handlers$1.handle(Handlers.java:54)\n\tat org.forgerock.http.servlet.HttpFrameworkServlet.service(HttpFrameworkServlet.java:282)\n\tat javax.servlet.http.HttpServlet.service(HttpServlet.java:623)\n\tat org.forgerock.openam.http.OpenAMHttpFrameworkServlet.service(OpenAMHttpFrameworkServlet.java:47)\n\tat javax.servlet.http.HttpServlet.service(HttpServlet.java:623)\n\tat org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:209)\n\tat org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153)\n\tat org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:51)\n\tat org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178)\n\tat org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153)\n\tat org.forgerock.openam.validation.LargeCookieWarningFilter.doFilter(LargeCookieWarningFilter.java:48)\n\tat org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178)\n\tat org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153)\n\tat org.forgerock.openam.services.datastore.DataStoreConsistencyFilter.lambda$doFilter$0(DataStoreConsistencyFilter.java:46)\n\tat org.forgerock.openam.service.datastore.ReentrantVolatileActionConsistencyController.safeExecute(ReentrantVolatileActionConsistencyController.java:37)\n\tat org.forgerock.openam.services.datastore.DataStoreConsistencyFilter.doFilter(DataStoreConsistencyFilter.java:46)\n\tat org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178)\n\tat org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153)\n\tat org.forgerock.openam.rest.ProtocolVersionFilter.doFilter(ProtocolVersionFilter.java:66)\n\tat org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178)\n\tat org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153)\n\tat org.forgerock.openam.headers.SecureCookieFilter.doFilter(SecureCookieFilter.java:63)\n\tat org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178)\n\tat org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153)\n\tat org.forgerock.openam.headers.DisableSameSiteCookiesFilter.doFilter(DisableSameSiteCookiesFilter.java:106)\n\tat org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178)\n\tat org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153)\n\tat org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:59)\n\tat org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178)\n\tat org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153)\n\tat org.forgerock.openam.headers.SetHeadersFilter.doFilter(SetHeadersFilter.java:110)\n\tat org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178)\n\tat org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153)\n\tat org.forgerock.openam.headers.SetHeadersFilter.doFilter(SetHeadersFilter.java:110)\n\tat org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178)\n\tat org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153)\n\tat org.forgerock.openam.headers.SetHeadersFilter.doFilter(SetHeadersFilter.java:110)\n\tat org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178)\n\tat org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153)\n\tat com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:116)\n\tat org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178)\n\tat org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153)\n\tat org.forgerock.openam.validation.RequestEntitySizeVerificationFilter.doFilter(RequestEntitySizeVerificationFilter.java:66)\n\tat org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178)\n\tat org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153)\n\tat org.forgerock.openam.audit.context.AuditContextFilter.doFilter(AuditContextFilter.java:47)\n\tat org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178)\n\tat org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153)\n\tat org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:168)\n\tat org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:90)\n\tat org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:481)\n\tat org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:130)\n\tat org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93)\n\tat org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:670)\n\tat org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)\n\tat org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)\n\tat org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:390)\n\tat org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63)\n\tat org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:926)\n\tat org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1790)\n\tat org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52)\n\tat org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)\n\tat org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)\n\tat org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)\n\tat java.base/java.lang.Thread.run(Thread.java:833)\n","transactionId":"aa0126eb-881a-448d-ad6b-08833f99ab1d-1728"} {"timestamp":"2024-05-21T01:45:28.924Z","eventName":"AM-ACCESS-OUTCOME","transactionId":"aa0126eb-881a-448d-ad6b-08833f99ab1d-1728","trackingIds":["aa0126eb-881a-448d-ad6b-08833f99ab1d-1718"],"userId":"id=ce192e3a-2c63-42d0-8c93-3d505d90fbef,ou=user,ou=am-config","client":{"ip":"10.1.92.196","port":42178},"server":{"ip":"10.1.92.221","port":8081},"http":{"request":{"secure":true,"method":"GET","path":"https://<removed>/am/json/serverinfo/*","headers":{"accept":["application/json, text/plain, */*"],"accept-api-version":["protocol=2.1,resource=1.0"],"host":["<removed>"],"user-agent":["Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Edg/124.0.0.0"],"x-forwarded-for":["10.254.252.107"],"x-forwarded-host":["<removed>"],"x-forwarded-port":["443"],"x-forwarded-proto":["https"],"x-real-ip":["10.254.252.107"],"x-request-id":["2e13d9153be6e4eb6eb5276a8fd67fa4"],"x-scheme":["https"]}}},"request":{"protocol":"CREST","operation":"READ"},"response":{"status":"SUCCESSFUL","statusCode":"","elapsedTime":8,"elapsedTimeUnits":"MILLISECONDS","detail":{"revision":"1352294782"}},"realm":"/","component":"Server Info","source":"audit","topic":"access","level":"INFO","_eventId":"aa0126eb-881a-448d-ad6b-08833f99ab1d-1732"}

Thanks
Nick

hi @nick.hunt,
Based on this message in the error log

and this one

I tend to say it’s coming from the configuration of your userstore.
Could you share more information about your user store and your architecture please ?
Regards,
Steph.

@stephane.orluc yeah, i went down that track also to try to figure out if was a user issue, but I can still login using the user / idp initiated sign-on so not sure what it is trying to look up in the journey / sp initiated flow that i am using.

In terms of setup / user store, this is a forgeops install so userstore is DS / OOTB setup with IDM configured in the environment also.

Thanks
Nick

@nick.hunt since you’re using standard deployment, I don’t see what could cause the problem.
I think you should open a ticket.

Yeah, I have a ticket open on this also but was posting to see if anyone else had this issue.

Thanks
Nick

1 Like

Hi nick.hunt, I wanted to follow up on the resolution provided by our support team regarding your issue. We would greatly appreciate any helpful information that could be shared with the community.

Thank you!
Sheila