Documentation Index

Fetch the complete documentation index at: https://docs.lobster-world.com/llms.txt

Use this file to discover all available pages before exploring further.

How to debug SSO token claims

Prev Next

See also: SSO (Single Sign-On)

This guide explains how to inspect the SSO token returned by your identity provider. You use this to verify the claims and to debug field mapping issues.

When to use this guide

Use this guide when:

  • An SSO login fails with 'Login canceled' or a similar error.

  • A user logs in successfully but gets the wrong user account.

  • The field mappings do not seem to extract the claim values you expect.

The fastest way to inspect SSO claims:

  1. Capture the token from the OIDC callback in your browser.

  2. Decode the token in a JWT viewer such as jwt.io.

  3. Cross-check with the identity provider's sign-in logs.

The next sections describe each method in detail.

Method 1: Inspect the token in the browser

Browsers do not natively show JWT contents. You capture the token from the network traffic instead.

Steps:

  1. In your browser, open the developer tools, typically with F12.

  2. Switch to the Network tab. Check Preserve log.

  3. Trigger an SSO login on LDP.

  4. After the IdP redirects back to LDP, look for a request to the callback URL.

  5. The token appears as id_token or access_token. Look in the URL fragment, the query string, or the request body.

  6. Copy the token. It is a long string with two dots, in the format header.payload.signature.

  7. Paste the token in a JWT viewer such as jwt.io to decode the claims.

IMPORTANT  Do not paste production tokens into public web tools

A JWT contains identifying information about the user. Do not paste tokens from production users into public web tools. Use a local JWT viewer for sensitive tokens. Many code editors and command-line tools provide offline JWT decoding.

Method 2: Check the identity provider's sign-in logs

The identity provider records every authentication attempt. The IdP-side log shows which claims were issued.

For Azure (Entra ID):

  1. Open the Microsoft Azure portal.

  2. Go to Microsoft Entra ID → Sign-in logs.

  3. Find the failed or unexpected sign-in entry.

  4. Open the entry. The token details and issued claims appear under the relevant tabs.

For other identity providers, consult their admin console.

Method 3: Raise the log level in "Server logging"

The platform has a "Server logging" module. You can raise the log level for the SystemManager that handles authentication. This makes SSO-related entries easier to find in the logs.

Steps:

  1. Open Server logging.

  2. Go to the Log settings tab.

  3. Find the SystemManager that handles authentication.

  4. Raise its log level.

  5. Reproduce the SSO login.

  6. Inspect the resulting log entries.

  7. Reset the log level afterward to avoid log noise.

Method 4: Use Lobster "Support mode"

For deep troubleshooting, Lobster Support can provide a password for Support mode. This unlocks extended debug output.

Steps:

  1. Open About Lobster.

  2. Click Support mode.

  3. Enter the password provided by Lobster Support.

Use this method only when working with Lobster Support directly on a specific issue.

Related articles