I am trying to implement IDP as a factor. I am using this doc as a guide. The SAML request and response seem to work fine, but there's a failure on the /saml/v1/sp/acs endpoint in AuthHub. It returns 400 code, with the response body:

{"txnId":"04d468e7-1009-4d5e-9fed-f9cddc783920","clientTxnid":" ","error":"server_error","error_description":"The disambiguated user corresponding to the authenticated user by the Identity Provider is different from the user for which the policy was evaluated"}

I looked in the logs. The SAML response was verified, but for some reason there's an issue with matching the IDP authenticated user and the policy user. Here are a few key logs I found, which may provide more insight.

   msg: The mapped user Attribute value(s)(based on spMappingAttribute), corresponding to the authenticated user by the IDP : null is different from the user XXXXXX for which the policy was evaluated in AuthHub

   msg: For IdStoreConfig: 'null (siteminder)' : user login id attribute mapping name 'user_loginid', status encoding value 'siteminder', 'lockout' physical attribute = 'SMAUTHREASON', 'disabled' physical attribute = 'SMAUTHREASON'

Release : 2.1.2

VIP Authentication Hub

The issue is observed when there is mismatch in the User Login attribute configured in the ID store and the one which is configured in AuthHub. spMappingAttribute should have the name of the Auth Hub attribute rather than the direct LDAP attribute. In this case the spMappingAttribute was set to user_loginID from uid to resolve the issue.