Troubleshooting cheat sheet - howto Troubleshoot Access Manager 3.1 SAML issues

  • 7006046
  • 19-May-2010
  • 26-Apr-2012

Environment

Novell Access Manager 3.1 Linux Novell Identity Server
Novell Access Manager 3.1 Windows Novell Identity Server
Novell Access Manager 3.1 Access Administration

Situation

AM 3.1 SAML cheat sheet
====================

Functionality: Goal of SAML protocol is to provide Federation and SSO between SAML identity (IDP) providers and SAML service (SP) providers

SAML Log settings required to capture all relevant traffic:

1. IDP - need IDP logging enabled with following parameters. /etc/init.d/novell-tomcat5 must be restarted after this for changes to take effect.

- echo to console enabled
- Application, Liberty, SAML, Web Service Consumer and Web Service Provider components set to DEBUG

2. [If LAG protected resource requires authentication by a SAML SP or IDP] LAG - need to make sure /etc/laglogs.conf file includes. /etc/init.d/novell-vmc must be restarted after this for changes to take effect.

LOG_LEVEL=7
DEBUG_HTTP_HEADERS=1
DEBUG_SOAP_MESSAGES=0

SAML touch files:

N/A

Info to request:

1. Are we an SP or IDP: Verify whether or not Novell Access Manager is the identity provider or consumer. In most setups, Novell is the identity provider with the SP being a 3rd party but this is not always the case.
2. How is metadata defined: Gather the metadata from the 3rd party. This metadata will include info on whether the Authentication requests should be signed, where to send assertion after authentication, etc.
3. Access Manager log files: Make sure that all these log files are reset to 0 bytes before dup'ing issue. To do this, simply type echo > $filename e.g echo > /var/opt/novell/tomcat5/logs/catalina.out

3.1. Admin Console Server

- output of amdiagcfg.sh script (from /opt/novell/devman/bin directory). This will allow us to view the SAML config. Not great now but will improve.

3.2. Identity (IDP) Server

- /var/opt/novell/tomcat5/logs/catalina.out. Needs to include the output of the /etc/init.d/novell-tomcat5 restart command. Will allow us view the

    - service and identity providers loaded by the IDP server and they state
    - Authentication requests and responses in and out of our Identity server

3.3. [If LAG protected resource requires authentication by a SAML SP or IDP] Linux Access Gateway (LAG) Server

- /var/opt/novell/tomcat5/logs/catalina.out
- /var/log/ics_dyn.log
- /var/log/laghttpheaders

4. Browser Workstation logs: Most common binding enabled is the POST binding, where all AUthentication requests and responses come through the browser.

- Run ieHTTPHeaders or the Firefox HTTP header plug in and dup the issue. The browser info will be referenced in the above catalina.out files.

What to look for in log files:

- Search for the 'AuthnRequest' string. Key things to note is the binding (POST or Artifact), the NameIdentifier policy (how to authenticate), whether the message is signed (x509 string) and whether the Issuer is valid
- Search for the 'AuthnResponse' string. Make sure that the status is Success, that the AuthnStatement includes a valid subject and that the AttributeStatement includes the required attributes.
- search the HTTPHeader output for a POST HTTP method that includes the SAMLResponse string. This is a base64 encoded version of the assertion - input that into a base64 decoder to get the exact values.

Useful TIDs:

1. Integrating Access Manager with Concur using SAML1 - https://www.novell.com/support/php/search.do?cmd=displayKC&docType=kc&externalId=appnote-19673html&sliceId=&docTypeID=DT_ARTICLES_TIPS_1_1&dialogID=122129851&stateId=0%200%20122127899. Includes a detailed config and troubleshooting of typical SAML1 project using the POST binding.
2. Integrating Access Manager with Google Apps using SAML2 - https://www.novell.com/support/php/search.do?cmd=displayKC&docType=kc&externalId=http--wwwnovellcom-communities-node-8645-integrang-google-apps-and-novell-access-manager-using-saml2&sliceId=&docTypeID=DT_ARTICLES_TIPS_1_1&dialogID=122135176&stateId=0%200%20122133237
3. Integrating Shibboleth IDP server with Access Manager SP using SAML2 - https://www.novell.com/support/php/search.do?cmd=displayKC&docType=kc&externalId=http--wwwnovellcom-communities-node-6943-integrating-novells-access-manager-shibboleths-idp-server&sliceId=&docTypeID=DT_ARTICLES_TIPS_1_1&dialogID=122135176&stateId=0%200%20122133237
4. "RequestDenied" error trying to login to Access Manager Identity Server via SAML - https://support.microfocus.com/kb/doc.php?id=7005338&sliceId=1&docTypeID=DT_TID_1_1&dialogID=122135597&stateId=0%200%20122133597
5. "Digital signature is required" error processing SAML AUthentication Request - https://support.microfocus.com/kb/doc.php?id=7005337&sliceId=1&docTypeID=DT_TID_1_1&dialogID=122135597&stateId=0%200%20122133597