Solutions

SSO fails with Login failed with unknown reason in AM/OpenAM (All versions)

Last updated Oct 19, 2018

The purpose of this article is to provide assistance if you encounter "Login failed with unknown reason" when Single Sign On (SSO) fails and AM/OpenAM is set up for SAML2 federation. You will also notice "Plug-in org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo encountered a ldap exception. ldap errorcode=95" in your logs.


Symptoms

The following error is shown in the Federation debug log when SSO fails:

libSAML2:06/21/2018 11:36:03:814 AM UTC: Thread[http-nio-10600-exec-5,5,main]: TransactionId[df44988f-eda9-46fa-b356-b72f2945cfcb-22742]
ERROR: spAssertionConsumer.jsp: SSO failed.
com.sun.identity.saml2.common.SAML2Exception: Login failed with unknown reason.
   at com.sun.identity.saml2.profile.SPACSUtils.processResponse(SPACSUtils.java:1279)
   at org.apache.jsp.saml2.jsp.spAssertionConsumer_jsp._jspService(spAssertionConsumer_jsp.java:317)
   at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
   at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
   at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:431)
   at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:396)
   at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:340)

The corresponding error is shown in the Authentication debug log when this happens:

amAccountLockout:06/21/2018 11:36:03:814 AM UTC: Thread[http-nio-10600-exec-2,5,main]: TransactionId[df44988f-eda9-46fa-b356-b72f2945cfcb-22742]
ERROR: Error inactivating user account
Message:Plug-in org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo encountered a ldap exception.  ldap errorcode=95

   at org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo.newIdRepoException(DJLDAPv3Repo.java:2518)
   at org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo.getDN(DJLDAPv3Repo.java:2349)
   at org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo.getDN(DJLDAPv3Repo.java:2309)
   at org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo.getAttributes(DJLDAPv3Repo.java:782)
   at org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo.getAttributes(DJLDAPv3Repo.java:731)
   at com.sun.identity.idm.server.IdServicesImpl.getAttributes(IdServicesImpl.java:676)
   at com.sun.identity.idm.server.IdCachedServicesImpl.getAttributes(IdCachedServicesImpl.java:384)
   at com.sun.identity.idm.AMIdentity.getAttribute(AMIdentity.java:416)
   at com.sun.identity.common.ISAccountLockout.isAccountLocked(ISAccountLockout.java:640)
   at com.sun.identity.authentication.service.AMAccountLockout.isAccountLocked(AMAccountLockout.java:323)
   at com.sun.identity.authentication.service.LoginState.isAccountLocked(LoginState.java:3945)
   at com.sun.identity.authentication.service.LoginState.searchUserProfile(LoginState.java:2560)
   at com.sun.identity.authentication.service.AMLoginContext.runLogin(AMLoginContext.java:589)
   at com.sun.identity.authentication.server.AuthContextLocal.submitRequirements(AuthContextLocal.java:617)
   at com.sun.identity.authentication.AuthContext.submitRequirements(AuthContext.java:1232)
   at com.sun.identity.authentication.AuthContext.submitRequirements(AuthContext.java:1218)
   at com.sun.identity.plugin.session.impl.FMSessionProvider.createSession(FMSessionProvider.java:250)
   at com.sun.identity.saml2.profile.SPACSUtils.processResponse(SPACSUtils.java:1258)

The same error is seen if you select the affected user via the Identities page (previously the Subjects tab) in the console:

Plug-in org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo encountered a ldap exception. ldap errorcode=95

Recent Changes

N/A

Causes

The ldap errorcode=95 signifies that multiple matching entries exist. From Reference › LDAP Result Codes:

Unexpected Results Returned

The client-side result code that the requested single entry search operation or read operation failed because the Directory Server returned multiple matching entries (or search references) when only a single matching entry was expected. This is for client-side use only and should never be transferred over protocol.

This use case is typically the result of naming conflicts that can not be resolved automatically by replication. This situation commonly occurs when you have duplicate user entries sharing the same DN, which can be caused by concurrent updates to different user stores or replication conflicts.

Solution

Naming conflicts that can not be automatically resolved by replication can be identified by entries containing a DN addition in the form entryuuid=entryUUID-value+original-RDN,original-parent-DN. You can use ldapsearch to find conflicting entries and then resolve them manually as illustrated in Administration Guide › Resolving Replication Conflicts

See How do I find replication conflicts in DS/OpenDJ (All versions)? and How do I troubleshoot replication issues in DS/OpenDJ (All versions)? for further information on troubleshooting and resolving replication conflicts.

See Also

Data stores in AM/OpenAM

Replication in DS/OpenDJ

entryUUID Operational Attribute

Related Training

N/A

Related Issue Tracker IDs

OPENAM-13169 ( group names having the same CN but different full Distinguished Name Path)



Copyright and TrademarksCopyright © 2018 ForgeRock, all rights reserved.
Loading...