How to use debug mode
The function or feature discussed below is experimental, and may be changed or withdrawn.
The authentication point has a debug mode that allows you to perform a couple of useful functions:
- For all
- see exactly which attributes are being passed to service providers so that you can confirm what your release policy is passing to a given service provider and test changes.
- For local authentication users
- view the attributes being passed to OpenAthens by SAML connections such as ADFS
- view and interact with local authentication connections that are not yet marked as live - e.g. when adding a new one, or migrating from an old one.
You can activate or deactivate debug mode using a bookmarklet when you are on the login.openathens.net domain (e.g. your login page):
Step 1: go to https://login.openathens.net/resources/static/ssodebug.html and drag the bookmarklet to your favourites bar if you don't already have it
Step 2: you must be at login.openathens.net to turn debug mode on or off. Any page will do and the password reset page may be a handy place: https://login.openathens.net/auth#forgottenpassword
Step 3: Turn debug mode on or off by clicking the bookmarklet:
Debug mode will stay in effect until you turn it off. Depending on your browser settings, closing your browser may also disable debug mode (e.g. private browsing).
Attributes view
What you will see on the way to a resource is something like this:
There are options to sign out, or continue to the resource.
You can look at the response as a table, or switch to a SAML view. This view is only possible whilst accessing a resource.
Local connections view
As long as you do not have a connection set as default then debug mode will show all of your local connections in an overlay including those that are not marked as live or visible. If you select a SAML based local connection, debug mode will show you which attributes are being sent to OpenAthens from your connector.
You will need to search for your organisation on the right hand pane of the authentication point, use a wayfless URL, or access a resource to get to a place where this will appear.
Anything to watch out for?
With local connectors, debug mode can only show incoming attributes from SAML based sources, not things like the API or LDAP.
If you have only one local connection and it is LDAP or SirsiDynix, you will not see the popup because these connection types can accept OpenAthens accounts. You will only be able to tell the difference if you modify the username and password labels on the login page tab of the connection.
If you are doing this whilst accessing a resource, you will be interrupting a time-stamped SAML response. If you do not proceed to the resource within a minute then access is likely to fail.
If the request and response use SAML 2 the key attributes are passed using the urn:oid format. It is the last number that tells them apart, e.g:
| Name | Passes | May have been known before as |
|---|---|---|
| urn:oid:1.3.6.1.4.1.5923.1.1.1.1 | Role (e.g. member, staff, student) | eduPersonScopedAffiliation / Scoped Affiliation / Affiliation |
| urn:oid:1.3.6.1.4.1.5923.1.1.1.7 | Entitlement values | eduPersonEntitlement / Entitlement |
| urn:oid:1.3.6.1.4.1.5923.1.1.1.10 | The targeted ID value | eduPersonTargetedID / Targeted ID |
The older urn:mace format should be seen only if a service provider makes a SAML1 request.
Debug mode will also show details of your sign-in to the administration area if active at that time, but it does not show any particularly useful or interesting information.