Idea ID: 2826598

IDP - Extend logging - Auth. Problem on missing "KeyInfo" attribute

Status : New Idea
over 1 year ago

According to the NAM documentation the IDP is able to handle multiple certificates for a single SAML2 service provider (specified in the SPs metadata).

In order to select the correct certificate during the authentication process the SAML request needs to contain a "KeyInfo" attribute. Without the "KeyInfo" attribute being specified the IDP responds with a "RequestDenied".

However, even with "Debug" logging enabled the IDP log (catalina.out) does not specify any problem details if the "KeyInfo" attribute is missing.

The IDP logging should be extended to show a respective error message as soon as a request is denied due to a missing "KeyInfo" attribute.

Tags:

Labels:

Other
Parents
  • There is already an idea posted that no "Request Denied" should ever be returned without a clear log message saying why it was denied.  Please vote on that idea too!  /cyberres/accmgmt/accessmanager/i/accmanideas/better-logging-for-request-denied-assertion

Comment
  • There is already an idea posted that no "Request Denied" should ever be returned without a clear log message saying why it was denied.  Please vote on that idea too!  /cyberres/accmgmt/accessmanager/i/accmanideas/better-logging-for-request-denied-assertion

Children
No Data