Verifying a successful exchange using counters

You can verify that your SAML SSO setup works by using the nsconmsg command: nsconmsg –g saml –d current. A successful authentication will result in the saml_assertion_verify_success counter going up:

Verifying a successful exchange using counters

Troubleshooting

Here are some areas you should focus on if your SAML SSO isn't working:

  • SAML, like Kerberos, is quite strict about time being correct, so verify date and time on the various devices and use NTP as a best practice.
  • Ensure that DNS is working correctly. The client must be able to successfully resolve and contact both the SP and the IDP.
  • Verify that the certificates that represent each entity are trusted by the others.
  • If users might report 404 page not found errors when accessing the page, verify that the SAML redirect URL is configured correctly on the profile.
  • Canonicalization, as we discussed, is a critical piece in this integration, to ensure that validation works correctly. To identify if you are running into canonicalization issues, look for the following counters going up:
    • saml_assertion_parse_fail
    • saml_signature_verify_fail
    • saml_canonicalize_fail
    • saml_digest_verify_fail

    The syntax would be:

     nsconmsg –g <one of counters above > -d current
      e.g. nsconmsg –g saml_canonicalize_fail –d current
    
  • Look up the ns.log (/var/log/ns.log) while reproducing the issue. There is a good level of detail here around requests and errors for users authenticating using SAML. In the following screenshot we see that the authentication failed because a signed assertion was expected, but instead was received without any signing info:
    Troubleshooting
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.135.197.33