We think we know the answer to this, but just want to confirm. We're trying to figure out where the AAA action is failing on what amounts to be a relatively complex AAA action.
We have a AAA policy that Accepts a SAML Assertion with a signature. When we look at the context variables after the AAA action, we can see the 'var://context/WSM/identity/username' was extracted correctly, but that 'var://context/WSM/identity/authenticated-user' is an empty string.
Does this mean the signature was invalid... ie... the authentication failed?
This topic has been locked.
3 replies Latest Post - 2012-12-13T21:42:21Z by kenhygh
Pinned topic Help debugging AAA - authenticated-user vs username
Answered question This question has been answered.
Unanswered question This question has not been answered yet.
Updated on 2012-12-13T21:42:21Z at 2012-12-13T21:42:21Z by kenhygh
Re: Help debugging AAA - authenticated-user vs username2012-12-13T14:39:34Z in response to SystemAdminNot necessarily. The best way to determine if the signature was invalid is to look at the logs from the transaction. Try setting the log level to debug and turn the probe on. You can look at the logs for a single transaction to see if the signature verification succeeded or failed. There are also some context variables available in the context after AAA that hold the output from each step.
Re: Help debugging AAA - authenticated-user vs username2012-12-13T20:24:05Z in response to SystemAdminThanks Peter. We had turned it all on, but no message on the signature being invalid. Because we were so focused on thinking that's what we should see, we weren't paying attention to the fact that the time stamp had expired... our NTP was down and the DP time was off by about 3 minutes.