Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Wish: Improve debug logging and troubleshooting documentation. #279

Open
aliaksander-samuseu opened this issue May 3, 2018 · 2 comments

Comments

@aliaksander-samuseu
Copy link

aliaksander-samuseu commented May 3, 2018

Hi.

I'm dealing with a custom Passport SAML strategy which relies on passport-saml lib. What puzzles me is that I don't see any way how to find out what is happening under the hood of passport-saml when it does its job. If, for example, a SAML response comes in which it's not able to handle (for any reason), it just silently fails, triggering ambiguous error messages from the rest of the code. I have zero ideas of what was the cause of the failure in such case.

When I check sources of passport-saml I don't see that much logging instructions anyway. This is very strange as it makes troubleshooting virtually impossible, and imo should be a mandatory feature of any such piece of code.

May be I'm missing something? How this problem is usually tackled?

@markstos
Copy link
Contributor

markstos commented Aug 3, 2018

A patch is welcome for an optionally enabled debug move to improve logging. The debug module may help with this. A "Troubleshooting" or "Debugging" section could also be added to the README.

@markstos markstos changed the title Does this lib have any substantial logging functionality? Wish: Improve debug logging and troubleshooting documentation. Aug 3, 2018
@markstos
Copy link
Contributor

Starting with 0.35.0, released today, you can set DEBUG='passport-saml' in the environment to get more debug logging. Right now this only works for the validatePostResponse function, but a pull request is welcome to extend debug logging elsewhere. In 0.34.0, also released today, diagnostic messages were improved for the "Invalid Signature" cases, you can be certain which of the six invalid signature cases you triggered.

giladwolff pushed a commit to giladwolff/passport-saml that referenced this issue Dec 5, 2019
This commit improves the debug output by adding the SAML response ID to
the debug message and by exposing the validation errors from xml-crypto
in case signature validation fails.

Here are examples of the improve output:

passport-saml checkSignature failed for pfx3b63c7be-fe86-62fd-8cb5-16ab6273efaa. Validation errors: invalid signature: for uri #pfx3b63c7be-fe86-62fd-8cb5-16ab6273efaa calculated digest is 0AbCoTZl3NxNBiPUyucHk/7gay8= but the xml to validate supplies digest DCnPTQYBb1hKspbe6fg1U3q8xn4= +-2017d

passport-saml validatePostResponse for id "_6a377272c8662561acf1056274ef3f81" resulted in an error: Error: SAML provider returned Responder error: InvalidNameIDPolicy +1ms

Testing done:
ran 'DEBUG=passport-saml npm run-script test' successfully,
saw the expected output.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants