1. Administering Security for Oracle WebLogic Server
  2. Configuring Single Sign-On
  3. Enabling Debugging for SAML 1.1 and 2.0

24 Enabling Debugging for SAML 1.1 and 2.0

Oracle Weblogic Server provides a variety of ways to enable debugging for a web application that uses SAML for SSO. Debugging is configured by setting attributes on the ServerDebug MBean.

This chapter includes the following topics:

About SAML Debug Scopes and Attributes

Learn about the registered debug scopes and attributes provided in WebLogic Server for SAML 1.1 and 2.0.

Table 24-1 SAML 1.1 Debug Scopes and Attributes

Scope Attribute Description

weblogic.security.saml.atn

DebugSecuritySAMLAtn

Prints information about SAML 1.1 authentication provider processing.

weblogic.security.saml.credmap

DebugSecuritySAMLCredMap

Prints information about SAML 1.1 credential mapping provider processing.

weblogic.security.saml.lib

DebugSecuritySAMLLib

Prints information about SAML 1.1 library processing.

weblogic.security.saml.service

DebugSecuritySAMLService

Prints information about SAML 1.1 SSO profile services.

Table 24-2 SAML 2.0 Debug Scopes and Attributes

Scope Attribute Description

weblogic.security.saml2.atn

DebugSecuritySAML2Atn

Prints information about SAML 2.0 authentication provider processing.

weblogic.security.saml2.credmap

DebugSecuritySAML2CredMap

Prints information about SAML 2.0 credential mapping provider processing.

weblogic.security.saml2.lib

DebugSecuritySAML2Lib

Prints information about SAML 2.0 library processing.

weblogic.security.saml2.service

DebugSecuritySAML2Service

Prints information about SAML 2.0 SSO profile services.

Enabling Debugging Using the Command Line

You can enable debug scopes or attributes by passing them as options in the command that starts WebLogic Server. This method for enabling SAML debugging is static and can only be used at server startup.

The command line options you can use for enabling SAML debugging by attribute are listed in Table 24-3.

Table 24-3 Command Line Options for SAML Debugging

SAML Version Available Command Line Options for Debugging

SAML 1.1

-Dweblogic.debug.DebugSecuritySAMLAtn=true

-Dweblogic.debug.DebugSecuritySAMLCredMap=true

-Dweblogic.debug.DebugSecuritySAMLLib=true

-Dweblogic.debug.DebugSecuritySAMLService=true

SAML 2.0

-Dweblogic.debug.DebugSecuritySAML2Atn=true

-Dweblogic.debug.DebugSecuritySAML2CredMap=true

-Dweblogic.debug.DebugSecuritySAML2Lib=true

-Dweblogic.debug.DebugSecuritySAML2Service=true

Enabling Debugging Using WebLogic Remote Console

You can enable SAML debugging using WebLogic Remote Console. Using WebLogic Remote Console to enable or disable SAML debugging is dynamic and can be used while the server is running.

Note:

SAML 1.1 is deprecated as of WebLogic Server 14.1.2.0.0 and will be removed in a future release. Its configuration is not supported in WebLogic Remote Console. Oracle recommends using SAML 2.0 instead.

To configure SAML debugging using WebLogic Remote Console, complete the following steps:

  1. In the Edit Tree, go to Environment, then Servers.
  2. Click the server where you want to enable or disable debugging.
  3. On the Debug tab, select the Security subtab.
  4. Turn all of the SAML 2.0 debug attributes that you want to enable.

    For a description of each registered SAML debug attribute, see About SAML Debug Scopes and Attributes.

  5. Click Save.
  6. Repeat for the rest of the servers as desired.
  7. Commit your changes.

Changes to SAML debug scopes and attributes take effect immediately, you do not need to restart the server. See Define Debug Settings in Oracle WebLogic Remote Console Online Help.

Enabling Debugging Using the WebLogic Scripting Tool

You can use the WebLogic Scripting Tool (WLST) to configure SAML debugging attributes. Using WLST is a dynamic method and can be used to enable debugging while the server is running.

For example, the following command runs a program for setting debugging attributes called debug.py: 

java weblogic.WLST debug.py

The debug.py program contains the following code, which enables debugging for the attribute DebugSecuritySAMLAtn. 

user='user1'
password='password'
url='t3://localhost:7001'
connect(user, password, url)
edit()
cd('Servers/myserver/ServerDebug/myserver')
startEdit()
set('DebugSecuritySAMLAtn','true')
save()
activate()

Note:

For clarity, this WLST example script shows the username and password in clear text. However, you should avoid entering clear-text passwords in WLST commands in general, and you should especially avoid saving on disk WLST scripts that include clear-text passwords. In these instances you should use a mechanism for passing encrypted passwords instead. See Security for WLST in Understanding the WebLogic Scripting Tool.

Note that you can also use WLST from Java. The following example shows the source file of a Java program that sets the DebugSecuritySAMLAtn debugging attribute: 

import weblogic.management.scripting.utils.WLSTInterpreter;
import java.io.*;
import weblogic.jndi.Environment;
import javax.naming.Context;
import javax.naming.InitialContext;
import javax.naming.NamingException;

public class test {
        public static void main(String args[]) {
       try {
              WLSTInterpreter interpreter = null;
              String user="user1";
              String pass="pw12ab";
              String url ="t3://localhost:7001";
              Environment env = new Environment();
              env.setProviderUrl(url);
              env.setSecurityPrincipal(user);
              env.setSecurityCredentials(pass);
              Context ctx = env.getInitialContext();

              interpreter = new WLSTInterpreter();
              interpreter.exec
                     ("connect('"+user+"','"+pass+"','"+url+"')");
              interpreter.exec("edit()");
              interpreter.exec("startEdit()");
              interpreter.exec
                     ("cd('Servers/myserver/ServerDebug/myserver')");
              interpreter.exec("set('DebugSecuritySAMLAtn','true')");       
              interpreter.exec("save()");
              interpreter.exec("activate()");

       } catch (Exception e) {
       System.out.println("Exception "+e);
       }
       }
}

Sending Debug Messages to Standard Out

Messages corresponding to enabled debug attributes are sent to the server log file. Optionally, you can also send debug messages to standard out by passing the StdoutSeverity=Debug attribute on the LogMBean in the command to start WebLogic Server.

For example, -Dweblogic.log.StdoutSeverity=Debug. See Message Output and Logging in Command Reference for Oracle WebLogic Server.