search cancel

Getting "Unable to process logins" when using SAML 2.0 Authentication

book

Article ID: 257366

calendar_today

Updated On:

Products

CA Identity Manager

Issue/Introduction

When using SAML 2.0 Authentication, in this case an OKTA-based SAML integration, IDM is throwing an error on login attempt "Error: Unable to process logins. Please contact your administrator."

Reviewing the server.log we see "Error invoking Velocity template:" 

2023-01-08 11:52:34,602 ERROR [org.opensaml.saml2.binding.encoding.HTTPPostEncoder] (default task-1) Error invoking Velocity template: org.owasp.esapi.errors.ConfigurationException: java.lang.reflect.InvocationTargetException Encoder class (org.owasp.esapi.reference.DefaultEncoder) CTOR threw exception.

Caused by: java.lang.reflect.InvocationTargetException

    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

    ... 61 more

Caused by: org.owasp.esapi.errors.ConfigurationException: java.lang.ClassNotFoundException: org.owasp.esapi.reference.JavaLogFactory from [Module "deployment.iam_im.ear" from Service Module Loader] LogFactory class (org.owasp.esapi.reference.JavaLogFactory) must be in class path.

Caused by: java.lang.ClassNotFoundException: org.owasp.esapi.reference.JavaLogFactory from [Module "deployment.iam_im.ear" from Service Module Loader]

  

Environment

Release : 14.4

Cause

Caused by a misconfiguration of the Service Provider Initiated Request Binding in the SAML properties.

Resolution

Switching the "Service Provider Initiated Request Binding" from HTTP-POST to HTTP-Redirect resolved the error and allowed the login to complete:

Additional Information

The supported "Service Provider Initiated Request Binding" is defined within the Metadata imported for the SAML authentication.


Attachments