Skip to end of metadata
Go to start of metadata

The function or feature discussed below is experimental, and may be changed or withdrawn.

The authentication point has a debug mode that allows you to perform a couple of useful functions:

  • For all
    • see exactly which attributes are being passed to service providers so that you can confirm what your release policy is passing to a given service provider and test changes.
  • For local authentication users
    • view the attributes being passed to OpenAthens by SAML connections such as ADFS
    • view and interact with local authentication connections that are not yet marked as live - e.g. when adding a new one, or migrating from an old one.

You can activate or deactivate debug mode using this bookmarklet when you are on the domain (e.g. your login page):

Step 1: drag the bookmarklet to your favourites bar if you have not already.

Step 2: you must be at to turn debug mode on or off. Any page will do and the password reset page may be a handy place:

Step 3: Turn debug mode on or off by clicking the bookmarklet:

Debug mode will stay in effect until you turn it off. Depending on your browser settings, closing your browser may also disable debug mode (e.g. private browsing).

You can also grab the bookmarklet from, and toggle debug mode on / off at

Attributes view

What you will see on the way to a resource is something like this:

There are options to sign out, or continue to the resource.

You can look at the response as a table, or switch to a SAML view. This view is only possible whilst accessing a resource.

Local connections view

As long as you do not have a connection set as default then debug mode will show all of your local connections an overlay including those that are not marked as live or visible. 

You will need to search for your organisation on the right hand pane of the authentication point, or access a resource to get to a place where this will appear.

Anything to watch out for?

Debug mode cannot show incoming attributes from the API connector, only from SAML based connectors.

If you have only one local connection and it is LDAP or SirsiDynix, you will not see the popup because these connection types can accept OpenAthens accounts. You will only be able to tell the difference if you modify the username and password labels on the login page tab of the connection.

If you are doing this whilst accessing a resource, you will be interrupting a time-stamped SAML response. If you do not proceed to the resource within a minute you are unlikely to gain access if that is your intention.

If the request and response use SAML 2 the key attributes are passed using the urn:oid format. It is the last number that tells them apart, e.g:

NamePassesMay have been known before as
urn:oid: (e.g. member, staff, student)eduPersonScopedAffiliation / Scoped Affiliation / Affiliation
urn:oid: valueseduPersonEntitlement / Entitlement
urn:oid: targeted ID valueeduPersonTargetedID / Targeted ID

The older urn:mace format should be seen only if a service provider makes a SAML1 request.

Debug mode will also show details of your sign-in to the administration area if active at that time, but it does not show any particularly useful or interesting information.

  • No labels