[OPENAM-1631] Add option to enable debug logging of decrypted SAML assertions Created: 23/Aug/12  Updated: 20/Nov/16  Resolved: 15/Jan/15

Status: Resolved
Project: OpenAM
Component/s: SAML
Affects Version/s: 9.5.3
Fix Version/s: 11.0.3, 12.0.1, 13.0.0

Type: New Feature Priority: Major
Reporter: Peter Major [X] (Inactive) Assignee: Charles Sparey
Resolution: Fixed Votes: 0
Labels: release-notes
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
relates to OPENAM-7341 OPENAM-1631 introduced a dependency o... Resolved
Support Ticket IDs:


For example if OpenAM is running as an SP and Assertion encryption is enabled, the debug logs will never contain the decrypted XMLs. This makes very hard to debug SAML configuration problems (wrong nameid/format, missing attributes, etc). It would be the best to provide a configuration option to enable this extra logging .

Comment by Jonathan Scudder [ 03/Sep/12 ]

The default setting should be to store the assertion as today; whilst debugging shouldn't be used at this level in production unless there is a problem, it is important that turning on debugging doesn't hold any nasty surprises. Good "nice-to-have" feature to help diagnose problems.

Comment by Mark de Reeper [ 21/May/14 ]

Do you see this as something like an advanced toXMLString where you can ask for the XML to be returned with all of the encrypted elements in decrypted form?

Comment by Peter Major [X] (Inactive) [ 21/May/14 ]

I've been more thinking along the lines of an extra conditional debug statement after the decryption is done.

Comment by Mark de Reeper [ 21/May/14 ]

So every every time an encrypted element of the Assertion is decrypted, check if message level debug is enabled and some other flag value is true, print the element value in debug log (at message level).

Comment by Peter Major [X] (Inactive) [ 16/Jun/14 ]

Moving to 11.0.3 as this is not a key feature we need to have.

Comment by Charles Sparey [ 03/Dec/14 ]

11.0.3 version checked into branch 11.0.x as revision 11621; 12.0.1 and 13.0.0 are to follow.

Comment by Charles Sparey [ 09/Dec/14 ]

13.0.0 version checked into the trunk as revision(s) 11710 and 11711. Backport from this version into 12.0.1 is to follow in due course.

Comment by Charles Sparey [ 15/Jan/15 ]

12.0.1 version checked in as revision 12079.

Comment by Charles Sparey [ 15/Jan/15 ]

This is fixed is 11.0.3, 12.0.1 and 13.0.0 as per the earlier comment checkin notes. Marking as resolved.

Generated at Tue Oct 27 07:03:35 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.