How to trace the Liferay SAML 2.0 Provider EE plugin

Overview

The article outlines configuration for tracing the Liferay SAML 2.0 Provider EE plugin (SAML plugin).

The SAML plugin enables Liferay Portal 6.2 EE to act as a SAML Service Provider (SP) or Identity Provider (IdP).

It is common to experience some bumps when initially configuring the SAML plugin for the role of SP or IdP.

The following logging configuration may assist with tracing SAML protocol (behaviour) and/or SAML XML requests and responses between the SP and IdP.

The author has used this logging configuration to assist with tracing SAML XML messages in these scenarios:

S1/ Tracing between F5 BIG-IP Policy Access Manager (PAM) (acting as SAML IdP) and Liferay Portal (acting as SAML SP).

S2/ Tracing between Microsoft Active Directory Federation Services (ADFS) (acting as SAML IdP) and Liferay Portal (acting as SAML SP).

NOTE: Configuring the Liferay SAML 2.0 Provider EE plugin is outside the scope of this article.

NOTE: The Liferay SAML EE plugin uses the OpenSAML framework to process messages.
 

Logging Configuration

The following log4j logging configuration enables verbose logging of the SAML plugin and SAML XML request and response messages.

The log levels can be configured using the portal-log4j-ext.xml file and/or portal control panel.

NOTE: The log4j logging level ALL can result in very verbose log entries and large log files. Scale the logging level back to DEBUG or INFO to reduce the volume of log entries.

Portal Logging Configuration File

FILE: LIFERAY_HOME/tomcat/lib/ext/META-INF/portal-log4j-ext.xml

<?xml version="1.0"?>
<!DOCTYPE log4j:configuration SYSTEM "log4j.dtd">

<log4j:configuration xmlns:log4j="http://jakarta.apache.org/log4j/" debug="true">

. . . 

        <!-- Enable verbose logging for Liferay SAML EE plugin ->
        <category name="com.liferay.saml">
                <priority value="ALL" />
        </category>

        <!-- Enable verbose logging for OpenSAML framework ->
        <category name="org.opensaml">
                <priority value="ALL" />
        </category>

        <!-- Enable verbose logging for OpenSAML XML parsing -->
        <category name="PROTOCOL_MESSAGE">
                <priority value="ALL" />
        </category>

. . .

</log4j:configuration>

Portal Control Panel Logging Configuration

Sign into portal as admin user.

Navigate to Control Panel > (Configuration) Server Administration > Log Levels

Add or update the following log entries

com.liferay.saml  = ALL

org.opensaml = ALL

PROTOCOL_MESSAGE = ALL

Usage

Assuming we are using a Liferay Portal + Apache Tomcat bundle, we can monitor the SAML plugin (deployed to Liferay Portal) as follows:

% cd LIFERAY_HOME
% tail -f tomcat/logs/catalina.out

 

References