Debug Mode
When the debug option is enabled, all actions, errors, and available user attributes will be logged.
Debug Mode provides detailed authentication logs for troubleshooting but should be used with caution. Logs may contain sensitive user data, including SAML assertions and session identifiers, posing a security risk if accessed by unauthorised users. Keeping Debug Mode enabled can also impact performance and may lead to compliance issues with data protection regulations. It should only be enabled temporarily for diagnostics to minimise risk.
Logs can be accessed from the Log tab on the SAML Admin Authentication integration under Settings > System > Integrations Hub > SAML Admin Authentication.
Example Log Content
Log showing a successful login
In these logs you can see a trace of the users authentication from the start of the Single Sign-On (SSO) process, through the redirection to the Identity Provider (IdP), the response received back from the IdP, the verification of the response through to the matching of a user record and the successful authentication of the user.
| Date | Type | Info | Task ID |
|---|---|---|---|
| 28/01/2025, 08:58:18 | Info | Starting SSO process | 9885016a-3926-4274-95f3-14ad5749d0bc |
| 28/01/2025, 08:58:18 | Info | Redirecting user to IdP SSO url: https://login.microsoftonline.com/6173952Q-F0EO-55s3-6845-33s768Qr975A/saml2 | 9885016a-3926-4274-95f3-14ad5749d0bc |
| 28/01/2025, 09:00:05 | Info | Received response from IdP: SAMLResponse=RESPONSE&RelayState=RELAYSTATE | 16432098-28c8-4818-ba5c-97e5759d47e5 |
| 28/01/2025, 09:00:05 | Info | Processing SAML SSO response from IdP | 16432098-28c8-4818-ba5c-97e5759d47e5 |
| 28/01/2025, 09:00:05 | Info | SAML response is valid, attempting to find or create Connect user with NameId: oO-Syd0KefzJ21SNoYtNgiL4kTza0UUDEoPtCUiQzIe | 16432098-28c8-4818-ba5c-97e5759d47e5 |
| 28/01/2025, 09:00:06 | Info | Subsequent login for user "oO-Syd0KefzJ21SNoYtNgiL4kTza0UUDEoPtCUiQzIe" | 16432098-28c8-4818-ba5c-97e5759d47e5 |
| 28/01/2025, 09:00:06 | Info | Authentication successful, creating session for user example@example.net | 16432098-28c8-4818-ba5c-97e5759d47e5 |
Log showing an unsuccessful login
In these logs you can see a trace of the users sign in attempt. The Single Sign-On (SSO) process begins, the user is redirected to the Idenity Provider (IdP), a response is received back at Jadu Connect which is then verified. At this point the user is matched to an existing users email address but the user found is not setup with SAML Authentication. The sign in fails and an error is recorded in the log
User's email already in use for new user: example@example.net,
oO-Syd0KefzJ21SNoYtNgiL4kTza0UUDEoPtCUiQzIe
The user is not signed in and is redirected back to the Jadu Connect Admin Login page.
| Date | Type | Info | Task ID |
|---|---|---|---|
| 27/01/2025, 15:53:19 | Info | Starting SSO process | 5fe797ec-f05d-410a-a879-dee92894f348 |
| 27/01/2025, 15:53:19 | Info | Redirecting user to IdP SSO url: https://login.microsoftonline.com/6173952Q-F0EO-55s3-6845-33s768Qr975A/saml2 | 5fe797ec-f05d-410a-a879-dee92894f348 |
| 27/01/2025, 15:53:20 | Info | Received response from IdP: SAMLResponse=RESPONSE&RelayState=RELAYSTATE | 4642e3de-cc32-45ed-9e94-007d314727ed |
| 27/01/2025, 15:53:20 | Info | Processing SAML SSO response from IdP | 4642e3de-cc32-45ed-9e94-007d314727ed |
| 27/01/2025, 15:53:20 | Info | SAML response is valid, attempting to find or create Connect user with NameId: oO-Syd0KefzJ21SNoYtNgiL4kTza0UUDEoPtCUiQzIe | 4642e3de-cc32-45ed-9e94-007d314727ed |
| 27/01/2025, 15:53:20 | Error | User's email already in use for new user: example@example.net, oO-Syd0KefzJ21SNoYtNgiL4kTza0UUDEoPtCUiQzIe | 4642e3de-cc32-45ed-9e94-007d314727ed |
| 27/01/2025, 15:53:20 | Error | Connect authentication failed, redirecting user to: /q/login/admin | 4642e3de-cc32-45ed-9e94-007d314727ed |
Reading the SAML Response
The response received from the Idenity Provider is recored in the log in the format it is recieved in. The string is URL Encoded and Base64 Encoded and in two parts, the SAMLResponse and the RelayState.
To read the response back
- URL Decode the response
- Discard
SAMLResponse=from the start of the resulting string - Discard
&RelayState=...from the end of the resulting string - Finally, Base64 decode the remaining string
The resulting string will contain the response from the Identity Provider similar to below:
<?xml version="1.0"?>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_89e2c6f6-671c-4e17-ab92-6b54d3950b22" Version="2.0" IssueInstant="2025-01-27T15:53:19.837Z" Destination="https://domain/q/login/admin/saml_admin_auth/acs" InResponseTo="ONELOGIN_81b9421f7f16dcf8fd71d6575d312791413887b6">
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://sts.windows.net/6173952Q-F0EO-55s3-6845-33s768Qr975A/</Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_4a495591-e7d1-4738-849c-f94d486b1d01" IssueInstant="2025-01-27T15:53:19.833Z" Version="2.0">
<Issuer>https://sts.windows.net/6173952Q-F0EO-55s3-6845-33s768Qr975A/</Issuer>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<Reference URI="#_4a495591-e7d1-4738-849c-f94d486b1d01">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<DigestValue>Pu0mamFL2yD09B66KXL5UTnegkQ+fO4rD4Xsp6sR43k=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>[REDACTED]</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>[REDACTED]</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
<Subject>
<NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">oO-Syd0KefzJ21SNoYtNgiL4kTza0UUDEoPtCUiQzIe</NameID>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<SubjectConfirmationData InResponseTo="ONELOGIN_81b9421f7f16dcf8fd71d6575d312791413887b6" NotOnOrAfter="2025-01-27T16:53:19.749Z" Recipient="https://domain/q/login/admin/saml_admin_auth/acs"/>
</SubjectConfirmation>
</Subject>
<Conditions NotBefore="2025-01-27T15:48:19.749Z" NotOnOrAfter="2025-01-27T16:53:19.749Z">
<AudienceRestriction>
<Audience>https://domain/q/login/admin/saml_admin_auth/metadata</Audience>
</AudienceRestriction>
</Conditions>
<AttributeStatement>
<Attribute Name="http://schemas.microsoft.com/identity/claims/tenantid">
<AttributeValue>1218383c-b7ae-48d3-9382-88d980ae288e</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.microsoft.com/identity/claims/objectidentifier">
<AttributeValue>b1940928-95cf-44fa-b683-c5afaf725101</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.microsoft.com/identity/claims/displayname">
<AttributeValue>Helen Shaw</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.microsoft.com/identity/claims/identityprovider">
<AttributeValue>https://sts.windows.net/1218383c-b7ae-48d3-9382-88d980ae288e/</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.microsoft.com/claims/authnmethodsreferences">
<AttributeValue>http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname">
<AttributeValue>Bobby</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname">
<AttributeValue>Keys</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name">
<AttributeValue>example@example.net</AttributeValue>
</Attribute>
</AttributeStatement>
<AuthnStatement AuthnInstant="2025-01-27T14:48:19.837Z" SessionIndex="_4a495591-e7d1-4727-849f-f94d486b1d00">
<AuthnContext>
<AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef>
</AuthnContext>
</AuthnStatement>
</Assertion>
</samlp:Response>