Topic
3 replies Latest Post - ‏2012-12-13T21:42:21Z by kenhygh
SystemAdmin
SystemAdmin
6772 Posts
ACCEPTED ANSWER

Pinned topic Help debugging AAA - authenticated-user vs username

‏2012-12-13T00:44:58Z |
We think we know the answer to this, but just want to confirm. We're trying to figure out where the AAA action is failing on what amounts to be a relatively complex AAA action.

We have a AAA policy that Accepts a SAML Assertion with a signature. When we look at the context variables after the AAA action, we can see the 'var://context/WSM/identity/username' was extracted correctly, but that 'var://context/WSM/identity/authenticated-user' is an empty string.

Does this mean the signature was invalid... ie... the authentication failed?
Updated on 2012-12-13T21:42:21Z at 2012-12-13T21:42:21Z by kenhygh
  • SystemAdmin
    SystemAdmin
    6772 Posts
    ACCEPTED ANSWER

    Re: Help debugging AAA - authenticated-user vs username

    ‏2012-12-13T14:39:34Z  in response to SystemAdmin
    Not necessarily. The best way to determine if the signature was invalid is to look at the logs from the transaction. Try setting the log level to debug and turn the probe on. You can look at the logs for a single transaction to see if the signature verification succeeded or failed. There are also some context variables available in the context after AAA that hold the output from each step.
    • SystemAdmin
      SystemAdmin
      6772 Posts
      ACCEPTED ANSWER

      Re: Help debugging AAA - authenticated-user vs username

      ‏2012-12-13T20:24:05Z  in response to SystemAdmin
      Thanks Peter. We had turned it all on, but no message on the signature being invalid. Because we were so focused on thinking that's what we should see, we weren't paying attention to the fact that the time stamp had expired... our NTP was down and the DP time was off by about 3 minutes.
      • kenhygh
        kenhygh
        1361 Posts
        ACCEPTED ANSWER

        Re: Help debugging AAA - authenticated-user vs username

        ‏2012-12-13T21:42:21Z  in response to SystemAdmin
        OOH, a nasty one. I've run into that one before. Very tricky.

        Ken