If OIF authentication is tested by another route, the following error is seen after IdP login credentials are submitted:
From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:
10.4.2 401 Unauthorized
The request requires user authentication. The response MUST include a WWW-Authenticate header field (section 14.46) containing a challenge applicable to the requested resource. The client MAY repeat the request with a suitable Authorization header field (section 14.8). If the request already included Authorization credentials, then the 401 response indicates that authorization has been refused for those credentials. If the 401 response contains the same challenge as the prior response, and the user agent has already attempted authentication at least once, then the user SHOULD be presented the entity that was given in the response, since that entity MAY include relevant diagnostic information. HTTP access authentication is explained in section 11.
The TRACE level OIF Service Provider (SP) diagnostic log shows an entry similar to the following, indicating that the IdP has returned the following authentication status code to the SP: urn:oasis:names:tc:SAML:2.0:status:UnknownPrincipal
The TRACE level OIF IdP diagnostic log shows entries similar to the following:
[2012-02-03T05:29:45.261+00:00] [wls_oif1] [WARNING] [FED-18051] [oracle.security.fed.http.handlers.authn.LoginRequestHandler] [tid: [ACTIVE].ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: 004i73dnGdQ4MuMaELADUS0004Lm000068,0:1] [APP: OIF#18.104.22.168.0] [URI: /fed/user/authnosso] Authentication instant was not sent from the authentication engine.