When you perform an /authenticate call using a third-party ID token as an existingIDToken, the process fails during user disambiguation. You observe the following symptoms in the logs:

• The initial disambiguation succeeds based on the mapped attribute, but a secondary disambiguation attempt fails.
• The Identity Security Platform (IDSP) incorrectly selects the cn value (####) of the user and attempts a search using the xxx query filter, resulting in an error similar to:
     Unable to locate LDAP user in id store matching filter search query '(&(objectClass=inetorgperson)(xxx=####))'
• The spMappingAttribute configured in the Identity Provider (IDP) and the lookup hint strategy are ignored.

Symantec Identity Security Platform (IDSP) 4.0.1

This issue occurs because the user disambiguation process for third-party tokens does not honor the spMappingAttribute configured in the IDP or the lookup it hint strategy. The system defaults to a search criteria that may not align with your specific LDAP query filter configuration.

This issue is targeted to be fixed in release 4.0.2.

Workaround

Until you can upgrade to the fixed version, you can address this by modifying your LDAP query filter to support searches by both the secondary attribute and the primary login identifier.

Update your LDAP configuration with the following filter structure:

• ldapQueryStart: (|(xxx=${loginid})(cn=${loginid})
• ldapQueryEnd: )

This modification allows the system to successfully locate the unique user during the secondary disambiguation phase even when the cn value is used.