After upgrading DX UIM to 23.4 I am no longer able to log in via SAML/SSO due to "Invalid Credentials" error.

However I can still log in directly with the same LDAP credentials.  

In the wasp.log I can see that it is querying for my email address, but we only use screenName for logins.

Nov 21 15:08:40:477 DEBUG [https-jsse-nio-443-exec-2, com.nimsoft.nimbus.probe.service.wasp.auth.LoginManager] non-contact user found: (username)@(domain)
Nov 21 15:08:40:977 DEBUG [https-jsse-nio-443-exec-2, com.nimsoft.nimbus.probe.service.wasp.auth.LoginManager] authorizeNimbusUser: user: (username)@(domain)

This is failing because we do not use email address for logins, only username.

When logging in directly with LDAP, the log looks normal:

Nov 21 15:09:40:477 DEBUG [https-jsse-nio-443-exec-2, com.nimsoft.nimbus.probe.service.wasp.auth.LoginManager] non-contact user found: (username) 
Nov 21 15:09:40:977 DEBUG [https-jsse-nio-443-exec-2, com.nimsoft.nimbus.probe.service.wasp.auth.LoginManager] authorizeNimbusUser: user: (username) 

DX UIM 23.4.2, 23.4.1, 23.4.0

In SAML SSO login, the wasp probe automatically appends the domain name of the Active Directory domain from hub.cfg to verify the user against AD. 

If your Active Directory configuration is set to validate by username only, the SSO login will fail.

This can be identified by the following key in hub.cfg:

<ldap>
 <templates>
   <Active Directory>
      format = $username

This will be resolved in DX UIM 23.4.3 (due in early 2025).

As a workaround, you can set the key to the following:

format = $username@$domain

For this to work, in Active Directory you must also ensure that the "mail" attribute is set to a value that will match the pattern:   (sAMAccountName@domain)