How to enable logging of OpenID claims including values in TIBCO Spotfire Server.

How to enable logging of OpenID claims including values in TIBCO Spotfire Server.

book

Article ID: KB0075302

calendar_today

Updated On:

Products Versions
Spotfire Server 10.9 and higher

Description

Since the OpenID claims likely contain personal data (PII), and may contain other security-sensitive information, they are not logged by default in the TIBCO Spotfire Server server.log. If TRACE logging is enabled prior to TIBCO Spotfire Server 10.9, Spotfire logs the names of available claims in OpenID Connect ID tokens and UserInfo endpoint responses.

Refer to KB 000041759 How to find the supported claims in Identity provider that can be used in TIBCO Spotfire Server OpenID Configuration to find the supported claims in Identity provider that can be used in TIBCO Spotfire Server OpenID configuration.

Resolution

To aid in setup and troubleshooting, it is now possible to enable logging of claims including values by setting the security.oidc.log-claim-values configuration property to true (the default is false).  Follow below steps to enable logging of the claim values:
  1. Export current server configuration using  CLI command export-config 
    >config.bat export-config
  2. Run the following command to enable logging of claims including values
    >config.bat set-config-prop --name=security.oidc.log-claim-values --value=true
  3. Import configuration back to the database using import-config command.
    >config.bat import-config -c "Enabled logging of Claims values"
  4. Restart the Spotfire Server Service.
     

Issue/Introduction

This article will help you enable logging values of the supported OpenID claims for troubleshooting purposes when OpenID connect authentication along with Database/LDAP userdirectory is used.

Additional Information

KBA: 000041759 How to find the supported claims in Identity provider that can be used in TIBCO Spotfire Server OpenID Configuration Doc: export-config Doc:import-config