The authentication point has a debug mode that allows you to perform a couple of useful functions:
- For all
- see exactly which attributes are being passed to service providers so that you can confirm what your release policy is passing to a given service provider and test changes.
- For local authentication users
- view the attributes being passed to OpenAthens by SAML connections such as ADFS
- view and interact with local authentication connections that are not yet marked as live - e.g. when adding a new one, or migrating from an old one.
You can activate or deactivate debug mode using this bookmarklet when you are on the login.openathens.net domain (e.g. your login page):
Step 1: drag the bookmarklet to your favourites bar if you have not already.
Step 2: you must be at login.openathens.net to turn debug mode on or off. Any page will do and the https://login.openathens.net/auth#forgottenpasswordmay be a handy place:
Step 3: Turn debug mode on or off by clicking the bookmarklet:
Debug mode will stay in effect until you turn it off. Depending on your browser settings, closing your browser may also disable debug mode (e.g. private browsing).
You can also grab the bookmarklet from, and toggle debug mode on / off at https://login.openathens.net/resources/static/ssodebug.html
What you will see on the way to a resource is something like this:
There are options to sign out, or continue to the resource.
You can look at the response as a table, or switch to a SAML view. This view is only possible whilst accessing a resource.
Local connections view
As long as you do not have a connection set as default then debug mode will show all of your local connections an overlay including those that are not marked as live or visible.
You will need to search for your organisation on the right hand pane of the authentication point, or access a resource to get to a place where this will appear.
Anything to watch out for?
Debug mode cannot show incoming attributes from the API connector, only from SAML based connectors.
If you have only one local connection and it is LDAP or SirsiDynix, you will not see the popup because these connection types can accept OpenAthens accounts. You will only be able to tell the difference if you modify the username and password labels on the login page tab of the connection.
If you are doing this whilst accessing a resource, you will be interrupting a time-stamped SAML response. If you do not proceed to the resource within a minute you are unlikely to gain access if that is your intention.
If the request and response use SAML 2 the key attributes are passed using the
|Name||Passes||May have been known before as|
|urn:oid:126.96.36.199.4.1.59188.8.131.52.1||Role (e.g. member, staff, student)||eduPersonScopedAffiliation / Scoped Affiliation / Affiliation|
|urn:oid:184.108.40.206.4.1.59220.127.116.11.7||Entitlement values||eduPersonEntitlement / Entitlement|
|urn:oid:18.104.22.168.4.1.5922.214.171.124.10||The targeted ID value||eduPersonTargetedID / Targeted ID|