We have a PF installation, in which we are trying to setup OpenID Connect based SSO. We have the PF IdP connected to our internal Windows AD. When we try to request an Auth Code, to perform a Browser-based SSO, we get this exception:
Mapping into unique user key resulted in null or empty value from source attributes
This is what is present in the log file
2016-04-26 10:42:26,912 tid:uWXoT4raO7G-Cx8LMtl6ioqtvuI DEBUG [org.sourceid.saml20.domain.LDAPUsernamePasswordCredentialValidator] search sAMAccountName=MYLOGIN
2016-04-26 10:42:26,912 tid:uWXoT4raO7G-Cx8LMtl6ioqtvuI DEBUG [org.sourceid.servlet.HttpServletRespProxy] adding lazy cookie Cookie{PF=v15OJ5PwavFr0TTQqGGPxWrOjzUTXlkVKfVCB2yceOXN; path=/; maxAge=-1; domain=null} replacing Cookie{PF=v15OJ5PwavFr0TTQqGGPxWv76zVxxdpyURw82xJJBtXK; path=/; maxAge=-1; domain=null}
2016-04-26 10:42:26,912 tid:uWXoT4raO7G-Cx8LMtl6ioqtvuI DEBUG [org.sourceid.saml20.service.impl.grouprpc.PreferredNodes] [] -> indices to addresses -> [IP1, IP2]
2016-04-26 10:42:26,912 DEBUG [org.sourceid.saml20.service.impl.localmemory.InterReqStateMgmtMapImpl] setAttr(oldKey: v76zVxxdpyURw82xJJBtXK, newKey: rOjzUTXlkVKfVCB2yceOXN, name: HtmlFormIdpAuthnAdapter:WatsonHTML:SESSION)
2016-04-26 10:42:26,912 DEBUG [org.sourceid.saml20.service.impl.localmemory.InterReqStateMgmtMapImpl] setAttr: new size of attribute map=110
2016-04-26 10:42:26,912 DEBUG [com.pingidentity.jgroups.MuxInvocationHandler] invocation of setAttr on InterReqStateMgmtMapImpl state map size:8 attributes map size110
2016-04-26 10:42:26,912 tid:uWXoT4raO7G-Cx8LMtl6ioqtvuI DEBUG [org.sourceid.saml20.service.impl.grouprpc.InterRequestStateMgmtGroupRpcImpl] called mode:GET_MAJORITY setAttr() on [IP1, IP2]
2016-04-26 10:42:26,912 tid:uWXoT4raO7G-Cx8LMtl6ioqtvuI DEBUG [org.sourceid.saml20.service.impl.grouprpc.PreferredNodes] [] -> indices to addresses -> [IP1, IP2]
2016-04-26 10:42:26,912 DEBUG [org.sourceid.saml20.service.impl.localmemory.InterReqStateMgmtMapImpl] setAttr(oldKey: rOjzUTXlkVKfVCB2yceOXN, newKey: rOjzUTXlkVKfVCB2yceOXN, name: HtmlFormIdpAuthnAdapter:WatsonHTML:last-activity)
2016-04-26 10:42:26,912 DEBUG [org.sourceid.saml20.service.impl.localmemory.InterReqStateMgmtMapImpl] setAttr: new size of attribute map=110
2016-04-26 10:42:26,912 DEBUG [com.pingidentity.jgroups.MuxInvocationHandler] invocation of setAttr on InterReqStateMgmtMapImpl state map size:8 attributes map size110
2016-04-26 10:42:26,912 tid:uWXoT4raO7G-Cx8LMtl6ioqtvuI DEBUG [org.sourceid.saml20.service.impl.grouprpc.InterRequestStateMgmtGroupRpcImpl] called mode:GET_MAJORITY setAttr() on [IP1, IP2]
2016-04-26 10:42:26,912 tid:uWXoT4raO7G-Cx8LMtl6ioqtvuI DEBUG [org.sourceid.saml20.service.impl.grouprpc.PreferredNodes] [] -> indices to addresses -> [IP1, IP2]
2016-04-26 10:42:26,912 DEBUG [org.sourceid.saml20.service.impl.localmemory.InterReqStateMgmtMapImpl] setAttr(oldKey: rOjzUTXlkVKfVCB2yceOXN, newKey: rOjzUTXlkVKfVCB2yceOXN, name: HtmlFormIdpAuthnAdapter:WatsonHTML:first-activity)
2016-04-26 10:42:26,912 DEBUG [org.sourceid.saml20.service.impl.localmemory.InterReqStateMgmtMapImpl] setAttr: new size of attribute map=110
2016-04-26 10:42:26,912 DEBUG [com.pingidentity.jgroups.MuxInvocationHandler] invocation of setAttr on InterReqStateMgmtMapImpl state map size:8 attributes map size110
2016-04-26 10:42:26,912 tid:uWXoT4raO7G-Cx8LMtl6ioqtvuI DEBUG [org.sourceid.saml20.service.impl.grouprpc.InterRequestStateMgmtGroupRpcImpl] called mode:GET_MAJORITY setAttr() on [IP1, IP2]
2016-04-26 10:42:26,912 tid:uWXoT4raO7G-Cx8LMtl6ioqtvuI DEBUG [org.sourceid.servlet.HttpServletRespProxy] adding lazy cookie Cookie{pf-hfa-WatsonHTML-rmu=; path=/; maxAge=0; domain=null} replacing null
2016-04-26 10:42:26,912 tid:uWXoT4raO7G-Cx8LMtl6ioqtvuI DEBUG [org.sourceid.websso.authn.AdapterAuthnProcessor] adapterResponse=SUCCESS
2016-04-26 10:42:26,912 tid:uWXoT4raO7G-Cx8LMtl6ioqtvuI DEBUG [org.sourceid.util.log.AttributeMap] Ignoring attempt to add null value to attribute map for context.TargetResource
2016-04-26 10:42:26,912 tid:uWXoT4raO7G-Cx8LMtl6ioqtvuI DEBUG [org.sourceid.util.log.AttributeMap] Ignoring attempt to add null value to attribute map for USER_KEY
2016-04-26 10:42:26,912 tid:uWXoT4raO7G-Cx8LMtl6ioqtvuI DEBUG [org.sourceid.util.log.AttributeMap] Ignoring attempt to add null value to attribute map for USER_NAME
2016-04-26 10:42:26,912 tid:uWXoT4raO7G-Cx8LMtl6ioqtvuI DEBUG [org.sourceid.saml20.domain.AttributeMapping] Source attributes:{context.ClientIp=CLIP, context.OAuthScopes=openid, username=MYLOGIN, DN=CN=My Name,OU=Users,OU=xx,OU=xx,DC=xx,DC=yy,DC=co,DC=uk, org.sourceid.saml20.adapter.idp.authn.authnInst=1461663746912, context.ClientId=UAT-Watson, context.HttpRequest=/as/Z3XeL/resume/as/authorization.ping} Resulting attributes:{}
2016-04-26 10:42:26,912 tid:uWXoT4raO7G-Cx8LMtl6ioqtvuI ERROR [org.sourceid.oauth20.handlers.HandleAuthorizationRequest] Exception occurred during request processing
org.sourceid.websso.profiles.ProcessRuntimeException: Mapping into unique user key resulted in null or empty value from source attributes
at org.sourceid.oauth20.domain.UserKeyAttrMapping.execMapping(UserKeyAttrMapping.java:50) ~[pf-protocolengine.jar:?]
at org.sourceid.oauth20.domain.UserKeyAttrMapping.execMapping(UserKeyAttrMapping.java:38) ~[pf-protocolengine.jar:?]
I am confused on why it is getting NULL values for USER_KEY and USER_NAME, inspite of the IdP adapter reponse being SUCCESS.
Can someone help?
thanks
ok. I found the fix. In my IdP adapter mapping, I had USER_NAME mapped to displayName from Adapter. I changed it to the Text value of ${username}. This helped. But, still dont understand how/why this is the right thing to do.