Verifying a successful exchange using counters
You can verify that your SAML SSO setup works by using the nsconmsg
command: nsconmsg –g saml –d current
. A successful authentication will result in the saml_assertion_verify_success
counter going up:
![](https://static.packt-cdn.com/products/9781782175353/graphics/B04636_04_52.jpg)
Troubleshooting
Here are some areas you should focus on if your SAML SSO isn't working:
SAML, like Kerberos, is quite strict about time being correct, so verify date and time on the various devices and use NTP as a best practice.
Ensure that DNS is working correctly. The client must be able to successfully resolve and contact both the SP and the IDP.
Verify that the certificates that represent each entity are trusted by the others.
If users might report 404 page not found errors when accessing the page, verify that the SAML redirect URL is configured correctly on the profile.
Canonicalization, as we discussed, is a critical piece in this integration, to ensure that validation works correctly. To identify if you are running into canonicalization issues...