Tracking an authenticated user's SAML Assertion in the Policy Server audit log
search cancel

Tracking an authenticated user's SAML Assertion in the Policy Server audit log

book

Article ID: 191511

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

 

When running a Policy Server in Federation Journey, one might like to
know if the smaccess line :

  [Auth][AssertionGenerate][][MyPolicyServer][06/May/2020:10:56:55
  +0100][samlsp:MySAMLPartnership][][cn=myuser,dc=mydomain,dc=com]
  [][samlsp:MySAMLPartnership][][][/][Visit][][][][][][][][][][][]

means that the assertion has been accepted or validate ?

 

Environment

 

Policy Server all versions

 

Resolution

 

At first glance, this means that an assertion has been generated, and
for that, that also means that the user has been authenticated.

In the sample you've given :

  [Auth][AssertionGenerate][][MyPolicyServer][06/May/2020:10:56:55
  +0100][samlsp:MySAMLPartnership][][cn=myuser,dc=mydomain,dc=com]
  [][samlsp:MySAMLPartnership][][][/][Visit][][][][][][][][][][][]

means that the SP from MySAMLPartnership partnership has created or
consumed an assertion for the user cn=myuser,dc=mydomain,dc=com because
user has been authenticated or validated.

If you enable in the Policy Server registry :

  HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Reports=40856718
  Enable Enhance Tracing=                   0x4;  REG_DWORD

then at the very first line of the smaccess.log file you'll get
description of each field :

  [Category][Event][Reason][Hostname][Time][AgentName][SessionId][UserName][DomainOid]
[RealmName][RealmOid][ClientIp][Resource][Action][AuthDirName][AuthDirServer]
[AuthDirNamespace][TransactionId][StatusMsg][DomainName][ImpersonatorName]
[ImpersonatorDirName][ObjName][ObjOid][FieldDesc][AssertionId][AssertionIssuerId]
[AssertionDestinationURL][AssertionStatusCode][AssertionNotOnBefore]
[AssertionNotOnOrAfter][AssertionSessionStartTime][AssertionSessionNotOnOrAfter]
[AssertionAuthContext][AssertionVersionId][AssertionClaims][ApplicationName]
[TenantName][AuthenticationMethod][DeviceHash][DeviceID][UserRefID]

To have fields filled with values, you have to configure in the
smconsole the following :

 On tab "Logs" :

  | Feature               | Value          |
  |-----------------------+----------------|
  | Authentication Events | Log All Events |
  | Authorization Events  | Log All Events |
  | Affiliate Events      | Log All Events |

and check the following options :

 Include Anonymous Users
 Include Anonymous Users

Out of the box, you cannot decide when to print value or not for each
of the fields.

About "Visit" Actions :

  It means that it's a Session validation event at Federation. Before
  generating an Assertion, Policy Server validates existing session in
  federation journey.


Powered by Wolken Software