ForgeRock Identity Platform
Does not apply to Identity Cloud

SSO fails with Login failed with unknown reason in AM (All versions)

Last updated Apr 13, 2021

The purpose of this article is to provide assistance if you encounter "Login failed with unknown reason" when Single Sign On (SSO) fails and AM is set up for SAML2 federation. You will also notice "Plug-in org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo encountered a ldap exception. ldap errorcode=95" in your logs.

1 reader recommends this article


The following error is shown in the Federation debug log when SSO fails:

libSAML2:06/21/2018 11:36:03:814 AM UTC: Thread[http-nio-10600-exec-5,5,main]: TransactionId[df44988f-eda9-46fa-b356-b72f2945cfcb-22742] ERROR: spAssertionConsumer.jsp: SSO failed. com.sun.identity.saml2.common.SAML2Exception: Login failed with unknown reason.   at com.sun.identity.saml2.profile.SPACSUtils.processResponse(    at org.apache.jsp.saml2.jsp.spAssertionConsumer_jsp._jspService(    at org.apache.jasper.runtime.HttpJspBase.service(    at javax.servlet.http.HttpServlet.service(    at org.apache.jasper.servlet.JspServletWrapper.service(    at org.apache.jasper.servlet.JspServlet.serviceJspFile(    at org.apache.jasper.servlet.JspServlet.service(

The corresponding error is shown in the Authentication debug log when this happens:

amAccountLockout:06/21/2018 11:36:03:814 AM UTC: Thread[http-nio-10600-exec-2,5,main]: TransactionId[df44988f-eda9-46fa-b356-b72f2945cfcb-22742] ERROR: Error inactivating user account Message:Plug-in org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo encountered a ldap exception. ldap errorcode=95   at org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo.newIdRepoException(    at org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo.getDN(    at org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo.getDN(    at org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo.getAttributes(    at org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo.getAttributes(    at com.sun.identity.idm.server.IdServicesImpl.getAttributes(    at com.sun.identity.idm.server.IdCachedServicesImpl.getAttributes(    at com.sun.identity.idm.AMIdentity.getAttribute(    at com.sun.identity.common.ISAccountLockout.isAccountLocked(    at com.sun.identity.authentication.service.AMAccountLockout.isAccountLocked(    at com.sun.identity.authentication.service.LoginState.isAccountLocked(    at com.sun.identity.authentication.service.LoginState.searchUserProfile(    at com.sun.identity.authentication.service.AMLoginContext.runLogin(    at com.sun.identity.authentication.server.AuthContextLocal.submitRequirements(    at com.sun.identity.authentication.AuthContext.submitRequirements(    at com.sun.identity.authentication.AuthContext.submitRequirements(    at com.sun.identity.plugin.session.impl.FMSessionProvider.createSession(    at com.sun.identity.saml2.profile.SPACSUtils.processResponse(

The same error is seen if you select the affected user via the Identities page (previously the Subjects tab) in the console:

Plug-in org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo encountered a ldap exception. ldap errorcode=95

Recent Changes



The ldap errorcode=95 signifies that multiple matching entries exist. From LDAP Reference › LDAP Result Codes:

Unexpected Results Returned

The client-side result code that the requested single entry search operation or read operation failed because the Directory Server returned multiple matching entries (or search references) when only a single matching entry was expected. This is for client-side use only and should never be transferred over protocol.

This use case is typically the result of naming conflicts that can not be resolved automatically by replication. This situation commonly occurs when you have duplicate user entries sharing the same DN, which can be caused by concurrent updates to different user stores or replication conflicts.


Naming conflicts that can not be automatically resolved by replication can be identified by entries containing a DN addition in the form entryuuid=entryUUID-value+original-RDN,original-parent-DN. You can use ldapsearch to find conflicting entries and then resolve them manually as illustrated in Configuration Guide › Replication Conflicts.

See How do I find replication conflicts in DS (All versions)? and How do I troubleshoot replication issues in DS 5.x and 6.x? for further information on troubleshooting and resolving replication conflicts.

See Also

Data stores in AM

Replication in DS

entryUUID Operational Attribute

Related Training


Related Issue Tracker IDs


Copyright and TrademarksCopyright © 2021 ForgeRock, all rights reserved.