Idea Details

WebAgentTrace.log to say "Authorized by (which) Policy Server".

Last activity 12-17-2016 09:06 AM
SungHoon_Kim's profile image
11-18-2015 01:22 AM

In many times, we get WebAgentTrace.log and find the authorization decision was made by policy server.

But, which policy server(?) is another quiz to solve when collecting a full set of logs.


Currently, following is what we see.

[AuthorizeUser][User 'uid=User1,OU=People,dc=sample,dc=lab' is authorized by Policy Server.]


What I hope to see is.

[AuthorizeUser][User 'uid=User1,OU=People,dc=sample,dc=lab' is authorized by Policy Server 'PS001'.]


Edit : (As mentioned by Hubert Dennis)

This should also include other events from policy server.

IsProtected (Yes / No)

IsAuthenticated (AuthAttempt / AuthReject)

IsAuthorized (AzAccept / AzReject)

IsValidate (ValidateAccept / ValidateReject)


02-17-2016 02:31 AM

Just a note :


If there is a load balancer between the webagent and the policy server, then the IP address of the policy server (as known by the webagent) will not be sufficient to uniquely identify the actual policy server that returned the result.


This was a feature requested by Steve McQuiggan (CA) quite some time ago, but he had to modify his request once it became clear that load balancer was goign to be supported between WA and PS.


I just wanted to make that same point here, so that when feature is implmented that :        

           [AuthorizeUser][User 'uid=User1,OU=People,dc=sample,dc=lab' is authorized by Policy Server 'PS001'.]


That the PS01 is some tag that really does uniquely identify the policy server.


Cheers - Mark

02-16-2016 04:08 AM

Thank you for your contribution of an enhancement idea to the CA Community. CA is continually working to improve its software and services to best meet the needs of its customers. Your input is vital to that effort. The CA Single Sign-On Product Management team has reviewed your enhancement suggestion and decided to maintain the idea for possible consideration in a future release. The Community will continue to be able to vote on this enhancement idea.

01-15-2016 12:53 PM

I Agree. This would save a lot of time while troubleshooting for SM Admins as we can determine the Policy Sever from the Agent logs ,especially in an environment where there are lot of policy servers.



11-18-2015 12:55 PM

Include all calls success and failures....


IsProtected (Yes / No)

IsAuthenticated (AuthAttempt / AuthReject)

IsAuthorized (AzAccept / AzReject)

IsValidate (ValidateAccept / ValidateReject)

11-18-2015 01:26 AM

Same goes to "Authenticated by Policy Server 'PS001'"