IBM Support

CSIAC6274E Authentication failed due to a configured policy.

Troubleshooting


Problem

IBMid Federation support is enabled with IBM Order Management on Cloud(OMoC). But some users are getting error "CSIAC6274E Authentication failed due to a configured policy." during login process at the OMoC site.

Symptom

OMoC user is getting error "CSIAC6274E Authentication failed due to a configured policy." and unable to land on the targeting OMS application console page.

Cause

CSIAC6274E indicates a configured policy issue of the user.

Diagnosing The Problem

To debug the issue, the user can use the following steps to capture the SAMLResponse value during the login process.

Chrome Browser

  1. Press F12 to start the developer console.
  2. Select the Network tab, and then select Preserve log. Make sure the checkbox_ Preserve log selected
  3. Reproduce the error, then go to the developer tool panel and do a right-click to "save as a HAR". Save the file

Firefox Browser

  1. Press F12 to start the developer console.
  2. In the upper right of the developer tools window, click options (the small gear icon). Under Common Preferences, select Enable persistent logs. Select the Network tab.
  3. Reproduce the issue, and then do a right-click on the Developer tool window, select "save the All as HAR" and save the file.
Open the captured HAR file in a text editor and search for the "SAMLResponse" and its value. Decode the response value with a Base64 tool. 
Review user attributes that are included with the SAMLResponse. Ex:
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                Destination="https://login.ibm.com/saml/sps/saml20sp/saml20/login" ... >
       ....
        <saml:AttributeStatement>
            <saml:Attribute Name="country"
                            NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                <saml:AttributeValue xsi:type="xs:string">ca</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="emailAddress"
                            NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                <saml:AttributeValue xsi:type="xs:string">user@company_email</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="firstName"
                            NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                <saml:AttributeValue xsi:type="xs:string">FirstName</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="lastName"
                            NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                <saml:AttributeValue xsi:type="xs:string">LastName</saml:AttributeValue>
            </saml:Attribute>
            .....
         </saml:AttributeStatement>
    </saml:Assertion>
</samlp:Response> 
Make sure the required SAML attributes are configured as:

A) NameID Format as emailAddress (Your organization's Identity Provider (IdP) must be set to equal the valid email address for the organizational users email address).

B) Require attributes with the exact name as follow (Case sensitive):

firstName

lastName

emailAddress

country: Ex: USA as US (ISO 3166-1 alpha -2 standard, case sensitive)

Resolving The Problem

The company IdP admin needs to review and configure the SAML claim of user attributes to meet the OMoC IBMid Federation support requirement.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB59","label":"Sustainability Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS6PEW","label":"Sterling Order Management"},"ARM Category":[{"code":"a8m0z000000cy0AAAQ","label":"Install and Deploy"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
02 March 2023

UID

ibm16566131

Page Feedback