This section traces the role assignment from Identity Server that assigns it to the user, through Identity Server that receives the roles with the user’s authentication assertion, to the policy evaluation. If you are having trouble, this must help you determine the source of the problem.
The following procedures refer to the configuration displayed in Figure A-3. A tsmith user from Site A, who is assigned the doc role, is federated with a Tom user at Site B. Site B does not assign Tom the tester role. The web server has been configured to protect the bugz site, which requires the tester role.
To verify the configuration:
Ensure that policy logging is enabled on the identity provider and the service provider. Ensure that you enable at least Application logging at an Info level.
For configuration procedures, see Configuring Logging for Identity Server.
You can access log files for downloading and viewing by clicking on the Home page, Auditing > General Logging.
Have a user access a resource that is protected by a policy requiring a role from Site A.
For this trace, the tsmith user from Site A requests access to the bugz page. The user uses the federated link and logs in with the credentials of the tsmith user.
Verify that Site A is assigning the user the role.
View the catalina.out file of Identity Server at Site A.
Search for the name of the role. You must find a line similar to the following:
<amLogEntry> 2009-08-22T20:30:19Z INFO NIDS Application: AM#500105013: AMDEVICEID#C5F467BA50B009AC: AMAUTHID#YfdEmqCT2ZutwybD1eYSpfph8g5a5aMl6MGryq1hIqc=: Authenticated user cn=tsmith,o=novell in User Store sitea-nids-user-store with roles doc,authenticated. </amLogEntry>
If the role you need is not listed, look at the policy evaluation trace to discover why the user has not been assigned the role. For more information, see Role Assignment Traces.
Verify that Site A is sending an authentication assertion to Site B.
In the catalina.out file of Identity Server from Site A, look for lines similar to the following:
<amLogEntry> 2009-08-22T20:30:19Z INFO NIDS Application: AM#500105018: AMDEVICEID#C5F467BA50B009AC: AMAUTHID#YfdEmqCT2ZutwybD1eYSpfph8g5a5aMl6MGryq1hIqc=: Responding to AuthnRequest with artifact AAPLsCVpfv3ha9Mpn+cUiCXcf3D63sc0QfscL5mZaaygHBKVOOh9aPSQ </amLogEntry> <amLogEntry> 2009-08-22T20:30:19Z INFO NIDS Application: AM#500105019: AMDEVICEID#C5F467BA50B009AC: AMAUTHID#YfdEmqCT2ZutwybD1eYSpfph8g5a5aMl6MGryq1hIqc=: Sending AuthnResponse in response to artifact AAPLsCVpfv3ha9Mpn+cUiCXcf3D63sc0QfscL5mZaaygHBKVOOh9aPSQ </amLogEntry>
If you do not see these types of entries, verify that you have configured Site A to send the roles. See Obtaining the Role Assignments.
Verify that Site B is receiving the SAML assertion with the roles.
In the catalina.out file of Identity Server from Site B, look for lines similar to the following:
<amLogEntry> 2009-08-22T20:30:19Z INFO NIDS Application: AM#500105020: AMDEVICEID#488475009C6D3DDF: AMAUTHID#YfdEmqCT2ZutwybD1eYSpfph8g5a5aMl6MGryq1hIqc=: Received and processing artifact from IDP - AAPLsCVpfv3ha9Mpn+cUiCXcf3D63sc0QfscL5mZaaygHBKVOOh9aPSQ </amLogEntry> <amLogEntry> 2009-08-22T20:30:19Z INFO NIDS Application: AM#500105021: AMDEVICEID#488475009C6D3DDF: AMAUTHID#YfdEmqCT2ZutwybD1eYSpfph8g5a5aMl6MGryq1hIqc=: Sending artifact AAPLsCVpfv3ha9Mpn+cUiCXcf3D63sc0QfscL5mZaaygHBKVOOh9aPSQ to URL https://rholm.nam.example.com:8443/nidp/idff/soap at IDP </amLogEntry>
The artifact ID must be the same as the artifact ID in Step 4.
If you do not see these types of entries, verify that you have configured Site B to receive the roles. See Obtaining the Role Assignments.
Verify that Site B is evaluating the received role assignments and activating the roles.
In the catalina.out file of Identity Server from Site B, search for a policy evaluation for RolesFromIdentityProvider.
You must find lines similar to the following:
~~CO~1~RolesFromIdentityProvider(6670):https://ipd.sitea.nam.example.com: 8443/nidp/idff/metadata:TESTER,DOC,AUTHENTICATED~com.novell.nxpe.condition. NxpeOperator@string-equals~(0):hidden-param:hidden-value:~~~True(69) ~~PA~ActionID_1203705845727~~AddRole~tester~~~Success(0) <amLogEntry> 2009-08-22T20:30:20Z INFO NIDS Application: AM#500105013: AMDEVICEID#488475009C6D3DDF: AMAUTHID#YfdEmqCT2ZutwybD1eYSpfph8g5a5aMl6MGryq1hIqc=: Authenticated user cn=Tom,o=novell in User Store Internal with roles tester,authenticated. </amLogEntry>
The policy evaluation shows that the condition evaluates to true and that the tester role is activated. Tom is the user that is federated with the tsmith user, and the entry shows that Tom has been assigned the tester role.
If you do not see a policy evaluation for RolesFromIdentityProvider, ensure that you have created such a Role policy and that you have enabled it. See Configuring Policies to Process Received Roles.
If the user has been assigned the correct role, the last step is to verify how the embedded service provider evaluated the policy protecting the resource.
In the catatina.out file of the ipd-esp file for Access Gateway, search for lines similar to the following for the authorization policy trace:
<amLogEntry> 2009-08-22T20:30:20Z INFO NIDS Application: AM#501102050: AMDEVICEID#esp-2559E77C93738D15: AMAUTHID#YfdEmqCT2ZutwybD1eYSpfph8g5a5aMl6MGryq1hIqc=: PolicyID#65LN233O-KN19-1L7M-176M-P942LMN6P832: NXPESID#1411: AGAuthorization Policy Trace: ~~RL~1~~~~Rule Count: 2~~Success(0) ~~RU~RuleID_1198874340999~Allow_Tester~DNF~~1:1~~Success(0) ~~CS~1~~ANDs~~1~~True(69) ~~CO~1~CurrentRoles(6660):no-param:TESTER,AUTHENTICATED~com. novell.nxpe.condition.NxpeOperator@string-substring~SelectedRole (6661):hidden-param:hidden-value:~~~True(69) ~~PA~1~~Permit Access~~~~Success(0) ~~PC~1~~Document=(ou=xpemlPEP,ou=mastercdn,ou=ContentPublisher Container,ou=Partition,ou=PartitionsContainer,ou=VCDN_Root,ou=accessManagerContainer,o=novell:romaContentCollectionXMLDoc),Policy=(Allow_Tester),Rule=(1::RuleID_1198874340999),Action=(Permit::1)~~~~Success(0) </amLogEntry>
If the PA line does not evaluate to Permit Access, then review the Authorization policy and discover the conditions, other than the tester role, that must be met to permit access.