The authentication point has a debug mode that allows you to perform a couple of useful functions:
- For all
- see exactly which attributes are being passed to service providers so that you can confirm what your release policy is passing to a given service provider and test changes.
- For local authentication users
- view the attributes being passed to OpenAthens by SAML connections such as ADFS
- view and interact with local authentication connections that are not yet marked as live - e.g. when adding a new one, or migrating from an old one.
You can activate or deactivate debug mode using this bookmarklet when you are on the login.openathens.net domain (e.g. your login page):
Step 1: drag the bookmarklet to your favourites bar if you have not already.
Step 2: you must be at login.openathens.net to turn debug mode on or off. Any page will do and the https://login.openathens.net/auth#forgottenpasswordmay be a handy place:
Step 3: Turn debug mode on or off by clicking the bookmarklet:
Debug mode will stay in effect until you turn it off. Depending on your browser settings, closing your browser may also disable debug mode (e.g. private browsing).
You can also grab the bookmarklet from, and toggle debug mode on / off at https://login.openathens.net/resources/static/ssodebug.html
What you will see on the way to a resource is something like this:
There are options to sign out, or continue to the resource.
You can look at the response as a table, or switch to a SAML view. This view is only possible whilst accessing a resource.
Local connections view
As long as you do not have a connection set as default then debug mode will show all of your local connections in an overlay including those that are not marked as live or visible. If you select a SAML based local connection, debug mode will show you which attributes are being sent to OpenAthens from your connector.
You will need to search for your organisation on the right hand pane of the authentication point, use a wayfless URL, or access a resource to get to a place where this will appear.
Anything to watch out for?
With local connectors, debug mode can only show incoming attributes from SAML based sources, not things like the API or LDAP.
If you have only one local connection and it is LDAP or SirsiDynix, you will not see the popup because these connection types can accept OpenAthens accounts. You will only be able to tell the difference if you modify the username and password labels on the login page tab of the connection.
If you are doing this whilst accessing a resource, you will be interrupting a time-stamped SAML response. If you do not proceed to the resource within a minute then access is likely to fail.
If the request and response use SAML 2 the key attributes are passed using the
|Name||Passes||May have been known before as|
|urn:oid:22.214.171.124.4.1.59126.96.36.199.1||Role (e.g. member, staff, student)||eduPersonScopedAffiliation / Scoped Affiliation / Affiliation|
|urn:oid:188.8.131.52.4.1.59184.108.40.206.7||Entitlement values||eduPersonEntitlement / Entitlement|
|urn:oid:220.127.116.11.4.1.5918.104.22.168.10||The targeted ID value||eduPersonTargetedID / Targeted ID|
As discussed above, if you have a local connector marked as default, debug mode will not show you multiple connector options. This presents a challenge if you want to change from one default connector to another - for example if you we moving from ADFS to Azure - as it may seem impossible to test the new connector.
Luckily it is possible to specify a connector in the URL when debug mode is active. It's not the simplest URL for a beginner to craft, but your support contact will be happy to help.
Usually the same as your 'Scope' - e.g.
|<NUMERIC_ORG_ID>||The unique ID number on the same line as your scope on the organisation summary page|
|<PERCENT_ENCODED_URL>||Since the thing you need to test is getting data from your local source into OpenAthens this does not need to be a resource or anything complicated - any web page will do as long as you percent encode it (sometimes called URL encoding). For example: |
|<NUMERIC_CONNECTOR_ID>||This is visible in the URL when you select the connection in the admin area - e.g. |