OAM 11g: OIF Authentication Fails With Error UNKNOWN_PRINCIPAL / 401 Unauthorized / Authentication instant was not sent from the authentication engine (Doc ID 1416854.1)

Last updated on MARCH 08, 2017

Applies to:

Oracle Identity Federation - Version 11.1.1.1 and later
Information in this document applies to any platform.

Symptoms

Oracle Identity Federation (OIF) 11g as Identity Provider (IdP) has been configured with Oracle Access Manager (OAM) as OIF Authentication Engine.

Oracle HTTP Server (OHS) 11g is configured to proxy OIF requests. A WebGate (11g or 10.1.4.3) is installed with OHS 11g.

Both of the following have been tried:
1. OIF 'Oracle Access Manager' authentication engine configured.
2. OIF 'Oracle Single Sign On' authentication engine configured.

In both cases, when Start SSO button in the Test SP SSO (/fed/user/testspsso) page is pressed, after Identity Provider (IdP) login the following is displayed in the Test SP SSO results page:

SSO Authentication Result: Authentication Failed
....
SSO Secondary Status Code: UNKNOWN_PRINCIPAL



If OIF authentication is tested by another route, the following error is seen after IdP login credentials are submitted:

Error 401--Unauthorized

From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:

10.4.2 401 Unauthorized

The request requires user authentication. The response MUST include a WWW-Authenticate header field (section 14.46) containing a challenge applicable to the requested resource. The client MAY repeat the request with a suitable Authorization header field (section 14.8). If the request already included Authorization credentials, then the 401 response indicates that authorization has been refused for those credentials. If the 401 response contains the same challenge as the prior response, and the user agent has already attempted authentication at least once, then the user SHOULD be presented the entity that was given in the response, since that entity MAY include relevant diagnostic information. HTTP access authentication is explained in section 11.





The TRACE level OIF Service Provider (SP) diagnostic log shows an entry similar to the following, indicating that the IdP has returned the following authentication status code to the SP: urn:oasis:names:tc:SAML:2.0:status:UnknownPrincipal

[2012-02-03T05:29:46.387+00:00] [wls_oif1] [TRACE] [] [oracle.security.fed.util.soap.Unmarshaller] [tid: [ACTIVE].ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: 004i0YPmqwE4MuMaELADUS0003gJ00031A,0:1] [SRC_CLASS: oracle.security.fed.util.soap.Unmarshaller] [APP: OIF#11.1.1.2.0] [SRC_METHOD: unmarshall] [URI: /fed/sp/art20] onEndElement() : Incoming SOAP Body <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Body><samlp:ArtifactResponse xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="id-LfNUG-jlf8XeDWT5g3mUigml38k-" InResponseTo="id-IgQFsCKrFiUpY4YyIONspyJoAJs-" IssueInstant="2012-02-03T05:29:46Z" Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://idp.oracle.com:7777/fed/idp</saml:Issuer><dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><dsig:SignedInfo><dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><dsig:Reference URI="#id-LfNUG-jlf8XeDWT5g3mUigml38k-"><dsig:Transforms><dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></dsig:Transforms><dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><dsig:DigestValue>AsCiUX0/pTzm55GfXEk6nK2UoTU=</dsig:DigestValue></dsig:Reference></dsig:SignedInfo><dsig:SignatureValue>XnKC/zbQ2dLGrQV8JWakBqx2324355X8EE6NxMAPUW9uX2bM7ZhpqyVENh9/FFCv6eiNLBlYN1EVfh4pC7EYg5DHheYrljUPXbAi4zVIWS73LRt6a00+AabyQkb8feZFkm47wg668s94RzjsEkYVmOoQn31B2d6WqySBmkY0tm804=</dsig:SignatureValue></dsig:Signature><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><samlp:Response ID="id-sTP0U6knsyYxS-PpIXQ2yJnDnxQ-" InResponseTo="id-1aX7b3ujqE2eI-PEIXeZ3hbLtk4-" IssueInstant="2012-02-03T05:29:46Z" Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://idp.oracle.com:7777/fed/idp</saml:Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester"><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:UnknownPrincipal"/></samlp:StatusCode></samlp:Status></samlp:Response></samlp:ArtifactResponse></SOAP-ENV:Body></SOAP-ENV:Envelope>



The TRACE level OIF IdP diagnostic log shows entries similar to the following:

[2012-02-03T05:29:45.261+00:00] [wls_oif1] [WARNING] [FED-18051] [oracle.security.fed.http.handlers.authn.LoginRequestHandler] [tid: [ACTIVE].ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: 004i73dnGdQ4MuMaELADUS0004Lm000068,0:1] [APP: OIF#11.1.1.2.0] [URI: /fed/user/authnosso] Authentication instant was not sent from the authentication engine.

[2012-02-03T05:29:45.267+00:00] [wls_oif1] [TRACE] [] [oracle.security.fed.eventhandler.profiles.idp.sso.v20.AuthnRequestEventHandler] [tid: [ACTIVE].ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: 004i73dnGdQ4MuMaELADUS0004Lm000068,0:1] [SRC_CLASS: oracle.security.fed.eventhandler.profiles.idp.sso.v20.AuthnRequestEventHandler] [APP: OIF#11.1.1.2.0] [SRC_METHOD: perform] [URI: /fed/user/authnosso] UNKNOWN_PRINCIPAL







Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms