Topic
  • 3 replies
  • Latest Post - ‏2012-12-13T21:42:21Z by kenhygh
SystemAdmin
SystemAdmin
6772 Posts

Pinned topic Help debugging AAA - authenticated-user vs username

‏2012-12-13T00:44:58Z |
We think we know the answer to this, but just want to confirm. We're trying to figure out where the AAA action is failing on what amounts to be a relatively complex AAA action.

We have a AAA policy that Accepts a SAML Assertion with a signature. When we look at the context variables after the AAA action, we can see the 'var://context/WSM/identity/username' was extracted correctly, but that 'var://context/WSM/identity/authenticated-user' is an empty string.

Does this mean the signature was invalid... ie... the authentication failed?
Updated on 2012-12-13T21:42:21Z at 2012-12-13T21:42:21Z by kenhygh
  • SystemAdmin
    SystemAdmin
    6772 Posts

    Re: Help debugging AAA - authenticated-user vs username

    ‏2012-12-13T14:39:34Z  
    Not necessarily. The best way to determine if the signature was invalid is to look at the logs from the transaction. Try setting the log level to debug and turn the probe on. You can look at the logs for a single transaction to see if the signature verification succeeded or failed. There are also some context variables available in the context after AAA that hold the output from each step.
  • SystemAdmin
    SystemAdmin
    6772 Posts

    Re: Help debugging AAA - authenticated-user vs username

    ‏2012-12-13T20:24:05Z  
    Not necessarily. The best way to determine if the signature was invalid is to look at the logs from the transaction. Try setting the log level to debug and turn the probe on. You can look at the logs for a single transaction to see if the signature verification succeeded or failed. There are also some context variables available in the context after AAA that hold the output from each step.
    Thanks Peter. We had turned it all on, but no message on the signature being invalid. Because we were so focused on thinking that's what we should see, we weren't paying attention to the fact that the time stamp had expired... our NTP was down and the DP time was off by about 3 minutes.
  • kenhygh
    kenhygh
    1577 Posts

    Re: Help debugging AAA - authenticated-user vs username

    ‏2012-12-13T21:42:21Z  
    Thanks Peter. We had turned it all on, but no message on the signature being invalid. Because we were so focused on thinking that's what we should see, we weren't paying attention to the fact that the time stamp had expired... our NTP was down and the DP time was off by about 3 minutes.
    OOH, a nasty one. I've run into that one before. Very tricky.

    Ken