CA SiteMinder® Federation Standalone Guide › Logs to Monitor Federation Activities › Transaction IDs to Aid Federation Troubleshooting

Transaction IDs to Aid Federation Troubleshooting

Troubleshooting a federated transaction is difficult when many transactions are logged in one file. To follow a single transaction in a trace log, use the SAML transaction ID. When a federation call occurs, the FWS application first generates a SAML Transaction ID. The SAML Transaction ID is generated only once. This unique SAML transaction ID can map to multiple transaction IDs

For example, you can see the following message in the fwstrace.log for a SAML 2.0 POST transaction. Note the line in bold that shows the mapping of the two transaction IDs.

[08/01/2013][17:33:54][2292][1884][1c2d7650-b006e46a-ed071f41-bbbede33-fe78e2dd-38d][SSO.java][processAuthentication][SAMLTransactionID 2aaf90ec-fdef4897-0ef49d91-63d4031d-f508a3e9-12 maps to TransactionID: 1c2d7650-b006e46a-ed071f41-bbbede33-fe78e2dd-38d.]

The CA SiteMinder® Federation Standalone system generates a new SAMLTransactionID only if it is acting as the asserting party. These specific activities are:

• When Federation Web Services redirects the browser to the authentication URL to establish a session.
• For the following HTTP-Artifact single sign-on transactions:
  • When the asserting party sends the artifact to the relying party.
  • When the asserting party resolves the artifact.
• When the user is redirected to the Identity Discovery profile URL.
• During single logout at the asserting party.

At the relying party, there exists a request ID, which can be traced easily through the log files. The request ID makes it unnecessary for the CA SiteMinder® Federation Standalone system to generate a SAMLTransactionID at the relying party.

For each unique SAML transaction ID, there can be multiple transaction IDs. When a new HTTP transaction occurs, a new transaction ID is generated. This transaction ID is mapped to the single SAML transaction ID. For example, in the trace log you can see the following entries:

SamlTransactionID ["xyz"] maps to TransationID["123"]
["123"] HTTP operation
["123"] HTTP operation

A new transaction ID "456" is generated:

SamlTransactionID["xyz"] Maps to Transactionid["456"]
["456"] <some operation>
["456"] <some operation>

Transaction IDs are placed in the fwstrace.log and the smtracedefault.log. The same set of transaction IDs for a single transaction is written to each of these logs. The trail of IDs in these logs enables you to follow a transaction. If there is a failure, the IDs help you determine which event failed for a transaction.

How To Follow a Single Transaction in a Log

To monitor a transaction, you can follow the two types of transaction IDs in the FWSTrace.log or smtracedefault.log. If there is a failure, looking at the IDs can help you determine the failure point.

To follow a transaction in a log, use one or more of the following methods:

• Open the trace file in a text editor and search on the string SAMLTransactionID (no spaces) or search for a sepcific SAMLTransactionID. This collection of entries in the log provides a view of the entire end-to-end transaction. You can see how far a transaction proceeded.
• Follow the transaction ID in the log file. The transaction ID represents HTTP transactions. Multiple transaction IDs can be associated with a single SAML Transaction ID. A failed transaction displays the transaction ID in the browser. To search the FWSTrace.log and smtracedefault log for the checkpoint error messages, use the displayed transaction ID.
• Parse the log files with a tool that searches files. On UNIX and Windows platforms, you can use a tool like the grep command. The grep command can stream through raw data, line by line, without your having to load a large text file into a text editor.

  Example:

  [usr@rhel632 etc]# more fwstrace.log| grep checkpoint
  [CHECKPOINT = SSOSAML2_SPCONFFROMPS_REQ]]
  [CHECKPOINT = SSOSAML2_SPCONFREAD_REQ]]
  [CHECKPOINT = SSOSAML2_SPCONFFROMCACHE_REQ]]
  [CHECKPOINT = SSOSAML2_SESSIONCOOKIEVALIDATE_REQ]]