Troubleshooting cheat sheet - howto Troubleshoot Access Manager 3.2 SAML issues

  • 7014298
  • 16-Dec-2013
  • 16-Dec-2013


NetIQ Access Manager 3.2
NetIQ Access Manager 3.2 Identity Server on WIndows and Linux


Access Manager 3.2 ships with a SAML Identity Server and SAML Service Provider components. The following document explains the various tools and log files that are available to help the troubleshooting process.


AM 3.2 SAML2 Troubleshooting cheat sheet

Functionality: Goal of SAML protocol is to provide Federation and SSO between SAML identity (IDP) providers and SAML service (SP) providers

SAML Log settings required to capture all relevant traffic:

1. IDP - need IDP logging enabled with following parameters. /etc/init.d/novell-tomcat5 must be restarted after this for changes to take effect.

- echo to console enabled
- Application, SAML2, Web Service Consumer and Web Service Provider components set to DEBUG

2. [Only in case where an AG protected resource requires authentication using an external contract pointing to a SAML SP or IDP]

AG - need to make sure /etc/opt/novell/apache2/conf/NovellAgSettings.conf includes the following (/etc/init.d/novell-apache2 must be restarted after this for changes to take effect)

LogLevel info
NAGGlobalOptions DebugHeaders=on

Info to request:

1. Confirm whether NAM is the SAML2 SP or IDP: Verify whether or not NetIQ Access Manager is the identity provider or consumer. In most setups, NAM is the identity provider with the SP being a 3rd party but this is not always the case.

2. Verify the SAML2 metadata to verify certs and key URLs in trust relationship: Gather the metadata from the 3rd party. This metadata will include info on whether the Authentication requests should be signed, where to send assertion after authentication, etc.

3. Gather Access Manager log files:

3.1. Admin Console configuration output – Need XML output of script (from /opt/novell/devman/bin directory). This will allow us to view the SAML config.

3.2. Identity (IDP) Server SAML logs - Need /opt/novell/nam/idp/logs/catalina.out. Make sure that the logs include the output of the /etc/init.d/novell-idp restart command to see SAML SP/IDP initialisation messages.

3.3. [Only in case where an AG protected resource requires authentication using an external contract pointing to a SAML SP or IDP] Access Gateway Server logs:

- /var/log/novell-ag-logs/maglogs/catalina.out
- /var/log/novell-apache2/error_log

4. Browser Workstation logs: Enable SAML Tracer Firefox plugin and send in output of logs when error occurs (

What to look for in log files:

- Search for status code reported on browser eg. 300101008 in catalina log file and work way back to source of error
- Search for the 'AuthnRequest' string. Key things to note is the binding (POST or Artifact), the NameIdentifier policy (how to authenticate), whether the message is signed (x509 string) and whether the Issuer is valid
- Search for the 'AuthnResponse' string. Make sure that the status is Success, that the AuthnStatement includes a valid subject and that the AttributeStatement includes the required attributes.
- search the HTTPHeader output for a POST HTTP method that includes the SAMLResponse string. This is a base64 encoded version of the assertion - input that into a base64 decoder to get the exact values.

Useful TIDs:

1.    Integrating Access Manager with Concur using SAML1 - Includes a detailed config and troubleshooting of typical SAML1 project using the POST binding.
2.    Integrating Access Manager with Google Apps using SAML2 -
3.    Integrating Salesforce SAML2 SP with Novell Access Manager SAML2 Identity server -
4.    Integrating Shibboleth IDP server with Access Manager SP using SAML2 -
5.    "RequestDenied" error trying to login to Access Manager Identity Server via SAML -
6.    5. "Digital signature is required" error processing SAML AUthentication Request -