Environment

• EDR Server: All Versions
• SSO/SAML

Question

• How can verbose debugging for SSO/SAML be enabled?

Answer

• Verbose Debugging can be enabled with the following steps:
  1. Make a copy of the coreservices-logger.conf

     cp /etc/cb/coreservices-logger.conf /etc/cb/coreservices-logger.orig

  2. Open the /etc/cb/coreservices-logger.conf file
  3. Append cb.flask.blueprints.api_routes_saml to the list of keys under [loggers] section: 

     [loggers]
     keys=root, gunicorn.access, cb.flask.blueprints.api_routes_saml, saml2

  4. Copy/paste the following snippet anywhere below in the logger configuration file: 

     [logger_cb.flask.blueprints.api_routes_saml] 
     level=DEBUG 
     handlers=debug_syslog 
     qualname=cb.flask.blueprints.api_routes_saml 
     propagate=1
     

  5. Then copy and past the following below that: 

     [logger_saml2]
     level=DEBUG
     handlers=debug_syslog
     propagate=0
     qualname=saml2

  6. Save the file. cb-coreservices will automatically re-read the logger configuration after a few minutes (no need to restart). You can verify the change in /var/log/cb/coreservices/debug.log when you swap over to debug level: 

     tail -f /var/log/cb/coreservices/debug.log
     2017-02-28 09:04:36 [2420] <warning> cb.utils.cb_logging - Detected new logger config, '/etc/cb/coreservices-logger.conf'. reloading...

  7. Reproduce your authentication issue. Subsequent attempts to login via SSO/SAML (either IdP or SP initiated) will now be logged with increased verbosity.
  8. Restore the original file

     mv /etc/cb/coreservices-logger.conf /etc/cb/coreservices-logger.conf.sso ; mv /etc/cb/coreservices-logger.conf.orig /etc/cb/coreservices-logger.conf

Additional Notes

• Restart is NOT required. cb-coreservices will automatically re-read the logger configuration after a few minutes
• If copying and pasting, verify there are no hidden characters at the end of the added lines by running "cat -A /etc/cb/coreservices-logger.conf"

Related Content