Troubleshooting
Problem
Customer has federated their logons. In other words, users logon to Planning Analytics on Cloud (PAoC) via SAML authentication.
User launches PAoC and tries to logon. User receives error.
Problem only affects one user.
Symptom
FBTSML225E
FBTSTS313E The required SAML attribute [country] is missing or not valid
Cause
The SAML assertion returned by the customer's Identity Provider (IdP) either does not include a country code at all, or it includes an invalid country code.
- In other words, the SAML Assertion attribute (for the 'bad' user) is incorrect (invalid 'country code' value).
More Information:
A valid country code must have 2 characters.For more details, see "IBMid Enterprise Federation Adoption Guide" (link at end of this Technote). Most importantly, read the sections:
- "4. On-boarding - basic requirements"
- "5. On-boarding - detailed information required"
Diagnosing The Problem
If you are using Chrome or Firefox as a web browser you can perform a SAML Trace to gain more information.
- Specifically you can find out which country code (if any) is included in the SAML Assertion (which is triggering the error).
Resolving The Problem
Customer should contact the administrators of their Identity Provider (typically their I.T. department ), to modify the 'bad' user's attributes.
- In this case, the customer's I.T. department should change the value of the SAML Assertion attribute (for the 'bad' user).
Example:
If the customer is using 'Okta' (as their IdP) then the need to contact their Okta administrators (to make the change to the user's value).
Related Information
Document Location
Worldwide
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSD29G","label":"IBM Planning Analytics"},"Component":"","Platform":[{"code":"PF033","label":"Windows"}],"Version":"","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]
Was this topic helpful?
Document Information
Modified date:
20 September 2021
UID
ibm10886553