There are very detailed logs available to assist in investigating issues. Some things to look out for in the logs are:

  • Ensure there is a SAML domain assigned
  • An ID must be generated for the request
  • The SAML request is encoded
  • The authentication request is built up and sent back down to L7

  • At some point later, a response is received
  • An XML-encoded SAML response gets parsed
  • Some of the information which is in the SAML response is displayed
  • That information is processed
  • The required pieces are extracted to perform a significant amount of verification checks

  • When finished processing the XML, the verification steps begin
  • As part of the verification:
  • The signature is checked to ensure it is OK
  • The “Not On Or After” (NOOA) time is checked to ensure that time has not passed because the assertion has a lifetime associated with it
  • All of the IDs are checked to ensure they match. There is an original ID which is allocated as part of a request. That ID is received back as part of a response so it is checked to ensure it matches in two places in the response document.
  • The issuer is verified to ensure that the response is received from the IdP which was configured previously

  • A success code is displayed in the response. That has to be successful to indicate that the user was successfully authenticated at the IdP.
  • The username entered when signing in is displayed
    • Next, the KCD processing occurs (if relevant)
    • Once the KCD processing is finished, the site is browsed

  • At some point there is a log out operation
  • An operation is seen for L7 authentication SAML logout
  • The logout request is built
  • The logout request is sent to L7
  • The client redirects to the logout
  • A digest is created and there is a full query string