You can verify that your SAML SSO setup works by using the nsconmsg command: nsconmsg –g saml –d current. A successful authentication will result in the saml_assertion_verify_success counter going up:
Here are some areas you should focus on if your SAML SSO isn't working:
- SAML, like Kerberos, is quite strict about time being correct, so verify date and time on the various devices and use NTP as a best practice.
- Ensure that DNS is working correctly. The client must be able to successfully resolve and contact both the SP and the IDP.
- Verify that the certificates that represent each entity are trusted by the others.
- If users might report 404 page not found errors when accessing the page, verify that the SAML redirect URL is configured correctly on the profile.
- Canonicalization, as we discussed, is a critical piece in this integration, to ensure that validation works correctly. To identify if you are running into canonicalization issues, look for the following counters going up:
saml_assertion_parse_failsaml_signature_verify_failsaml_canonicalize_failsaml_digest_verify_fail
The syntax would be:
nsconmsg –g <one of counters above > -d current e.g. nsconmsg –g saml_canonicalize_fail –d current
- Look up the
ns.log (/var/log/ns.log)while reproducing the issue. There is a good level of detail here around requests and errors for users authenticating using SAML. In the following screenshot we see that the authentication failed because a signed assertion was expected, but instead was received without any signing info:
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.