When you create a user store on Identity Server (Local > User Stores) and define it as an external Secret Store (Liberty > Web Service Provider > Credential Profile), some attributes are not being created properly on the SAML affiliate object. The workaround is to access the user store configuration page (Local > User Stores), then exit. This action results in a check to verify that the schema, objects, and attributes exist, and the affiliate object is then re-created from scratch, if necessary.
The following affiliate objects must exist:
authsamlCertContainerDN (container holding trusted certificates, for example: SCC Trusted Root.Security) authsamlProviderID authsamlTrustedCertDN (list of trusted certificate(s)) authsamlValidAfter (180 seconds default) authsamlValidBefore (180 seconds default)
If these attributes exist, the system works normally. However, if your Identity Server and Secret Store server are not configured to use the same NTP server, time synchronization can be a problem. If time synchronization is an issue, you can change the 180-second default validity times as a workaround.
If your LDAP user store and Administration Console have a firewall separating them, TCP ports 524 and 636 must be open to allow for the creation of the required objects. For more information about ports and firewalls, see Setting Up Firewalls in the NetIQ Access Manager 5.0 Installation and Upgrade Guide.