search cancel

CA PAM as RP and SAML as IDP working for some users and not working for others


Article ID: 133994


Updated On:


CA Privileged Access Manager - Cloakware Password Authority (PA) CA Privileged Access Manager (PAM)


We have configured CA PAM + Okta for SSO and its working for some users and not working for some users. When we test the SAML logon from the PAM configuration page, we get a PAM-CMN-0988 message similar to the following:

PAM-CMN-0988: The validation of the SAML assertion of user identity <username> from remote IdP succeeded but mapping the user to a SAML-enabled CA PAM account failed.


Applies to any supported PAM release as of July 2019.


The problem users were configured with their email address as username in the SAML IdP. In PAM they were imported from Active Directory, but none of the attributes that qualify as user name were set to the email address in AD.


The user name used for SAML authentication did not match DN, userPrincipalName or sAMAccountName of the LDAP user, for which SAML authentication did not work. Changing the login name to userPrincipalName in the IdP resolved the problem.

In general PAM tries to match the user name provided for SAML authentication with the following attributes imported from AD:

Distinguished Name



There is a fourth attribute saved in PAM called "short name" that PAM compares the username with. If you have sAMAccountName or userPrincipalName configured as the unique attribute in the LDAP configuration in PAM, the short name will match the configured unique attribute. If neither one is defined as unique attribute, the short name will be derived from the DN as the substring between the first equal sign and the first comma, i.e. it should be equal to the CN (common name) of the user in AD.