We have configured CA PAM + Okta for SSO and its working for some users and not working for some users. When we test the SAML logon from the PAM configuration page, we get a PAM-CMN-0988 message similar to the following:

PAM-CMN-0988: The validation of the SAML assertion of user identity <username> from remote IdP http://www.okta.com/xxxxxxxxxxxxxxxxx succeeded but mapping the user to a SAML-enabled CA PAM account failed.

Applies to any supported PAM release as of July 2019.

The user name used for SAML authentication did not match DN, userPrincipalName or sAMAccountName of the LDAP user, for which SAML authentication did not work. Changing the login name to userPrincipalName in the IdP resolved the problem.

In general PAM tries to match the user name provided for SAML authentication with the following attributes imported from AD:

Distinguished Name

sAMAccountName

userPrincipalName

There is a fourth attribute saved in PAM called "short name" that PAM compares the username with. If you have sAMAccountName or userPrincipalName configured as the unique attribute in the LDAP configuration in PAM, the short name will match the configured unique attribute. If neither one is defined as unique attribute, the short name will be derived from the DN as the substring between the first equal sign and the first comma, i.e. it should be equal to the CN (common name) of the user in AD.