Useful Firefox SAML tool for debugging problems



By: ncashell

August 23, 2011 3:01 pm

Reads: 1554

Comments:2

Rating:0

Useful Firefox SAML tool for debugging problems

When debugging the most common SAML setups with Novell Access Manager, the Authentication Request and response including the assertion are sent via the browser using the POST or Redirect profile. HTTP header output on the browser can be used to view these SAML request/responses, but the content is both URL and base64 encoded and therefor not very legible. An example output for an Authentication Response including the assertion would look like:

POST /nidp/saml2/spassertion_consumer HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */*
Referer: https://idp126.lab.novell.com:8443/nidp/saml2/sso?sid=0
Accept-Language: en-US
Content-Type: application/x-www-form-urlencoded
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; AskTbFXTV5/5.11.3.15590)
Host: windidp.lab.novell.com:8443
Content-Length: 8665
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: JSESSIONID=B6BF275DCED5C055FFC8E555B8C69B13; bb_lastvisit=1312903696; bb_lastactivity=0; bb_userid=7281; bb_ics_login=true

SAMLResponse=PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIENvbnNlbnQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpjb25zZW50Om9idGFpbmVkIiBEZXN0aW5hdGlvbj0iaHR0cHM6Ly93aW5kaWRwLmxhYi5ub3ZlbGwuY29tOjg0NDMvbmlkcC9zYW1sMi9zcGFzc2VydGlvbl9jb25zdW1lciIgSUQ9ImlkMEtMSlJGYWVKQlMwdXZVbkF5OFBRckNmSFpZIiBJblJlc3BvbnNlVG89ImlkVU9pNmNoLjkwT0tadmY4WFV2UXUwYk5Wa2NvIiBJc3N1ZUluc3RhbnQ9IjIwMTEtMDgtMTFUMTM6Mjg6MzVaIiBWZXJzaW9uPSIyLjAiPjxzYW1sOklzc3Vlcj5odHRwczovL2lkcDEyNi5sYWIubm92ZWxsLmNvbTo4NDQzL25pZHAvc2FtbDIvbWV0YWRhdGE8L3NhbWw6SXNzdWVyPjxzYW1scDpTdGF0dXM%2BPHNhbWxwOlN0YXR1c0NvZGUgVmFsdWU9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpzdGF0dXM6U3VjY2VzcyIvPjwvc2FtbHA6U3RhdHVzPjxzYW1sOkFzc2VydGlvbiBJRD0iaWRROVVaazVzMm1WR0lKWmpwUjRnZ0ZIRndPNnMiIElzc3VlSW5zdGFudD0iMjAxMS0wOC0xMVQxMzoyODozNVoiIFZlcnNpb249IjIuMCI%2BPHNhbWw6SXNzdWVyPmh0dHBzOi8vaWRwMTI2LmxhYi5ub3ZlbGwuY29tOjg0NDMvbmlkcC9zYW1sMi9tZXRhZGF0YTwvc2FtbDpJc3N1ZXI%2BPGRzOlNpZ25hdHVyZSB4bWxuczpkcz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI%2BPGRzOlNpZ25lZEluZm8%2BPENhbm9uaWNhbGl6YXRpb25NZXRob2QgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8%2BPGRzOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNyc2Etc2hhMSIvPjxkczpSZWZlcmVuY2UgVVJJPSIjaWRROVVaazVzMm1WR0lKWmpwUjRnZ0ZIRndPNnMiPjxkczpUcmFuc2Zvcm1zPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjZW52ZWxvcGVkLXNpZ25hdHVyZSIvPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz48L2RzOlRyYW5zZm9ybXM%2BPGRzOkRpZ2VzdE1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNzaGExIi8%2BPERpZ2VzdFZhbHVlIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj5IN2xVT3lmNjZwcTcveWJ4ZG9OK3VvZGkrL0k9PC9EaWdlc3RWYWx1ZT48L2RzOlJlZmVyZW5jZT48L2RzOlNpZ25lZEluZm8%2BPFNpZ25hdHVyZVZhbHVlIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj4KUk1MaHZnKzVSekxGQ2s2NFh5RWlCbXBXeUhLNGY0cCt5VWdMRnhUbE8wWnorZUhMdGpJM0QxOXM3aitKNWEvOWFic3d4YUxJR3VDbwpCbTE1MEc2YWJyeGx5eFRxYjQreGVrWFVNTGR3ZkdlK3FrWVczZ3NOYXk4MzZ5THVkQzdMUkJGNS9uQlhPYUhnZ2w2Qm5DcVY2OGh1ClZjUzBtQWhVUGU5a2xySGtNZU09CjwvU2lnbmF0dXJlVmFsdWU%2BPGRzOktleUluZm8%2BPGRzOlg1MDlEYXRhPjxkczpYNTA5Q2VydGlmaWNhdGU%2BCk1JSUUzakNDQThhZ0F3SUJBZ0lrQWh3Ui82VFZCWEZLa2g3eDdWRnpCYVA2MjVUWXhjdm5xVVd0OVorZUFnSVBpeDd0TUEwR0NTcUcKU0liM0RRRUJCUVVBTURZeEdqQVlCZ05WQkFzVEVVOXlaMkZ1YVhwaGRHbHZibUZzSUVOQk1SZ3dGZ1lEVlFRS0ZBOXZjbU5vWDJodgpjM1F6WDNSeVpXVXdIaGNOTVRBeE1ESTRNVEV6T1RBd1doY05NVE14TURJNE1USXpPVEF3V2pCck1Sa3dGd1lEVlFRREZCQXFMbXhoCllpNXViM1psYkd3dVkyOXRNUXd3Q2dZRFZRUUxFd05PVkZNeER6QU5CZ05WQkFvVEJrNXZkbVZzYkRFUk1BOEdBMVVFQnhNSVRXRnMKWVdocFpHVXhEekFOQmdOVkJBZ1RCa1IxWW14cGJqRUxNQWtHQTFVRUJoTUNTVVV3Z1o4d0RRWUpLb1pJaHZjTkFRRUJCUUFEZ1kwQQpNSUdKQW9HQkFNR1E1cWZDSW51TEVPTG1mRllsanpuYW5lZGIyQklvVUFlUWJyR3JENk80dHZGQjFka3VwK2YxYW9zVEtFb01Vd25FCmdWU09od0duQWczbnhwaVJxNFAxSVlWeVNYVk5ac0pVNFFHSjUvMkphZnUxOG1EdWtBcFlOaTl4cWZMQUtvM1EwZjNOb3V5aVVudDcKTWNYaXJNUzY2dGVpemdBdzduU2xKMWRwTlhvOUFnTUJBQUdqZ2dJaE1JSUNIVEFkQmdOVkhRNEVGZ1FVMTRwMjBoZGlGZVQyVW1VbQpoOUNjYVVLMmlGWXdId1lEVlIwakJCZ3dGb0FVSi8yTzRNbFFRRWtIQVIyV1gwbnB2cjdnWllzd0N3WURWUjBQQkFRREFnU3dNSUlCCnpBWUxZSVpJQVliNE53RUpCQUVFZ2dHN01JSUJ0d1FDQVFBQkFmOFRIVTV2ZG1Wc2JDQlRaV04xY21sMGVTQkJkSFJ5YVdKMWRHVW8KZEcwcEZrTm9kSFJ3T2k4dlpHVjJaV3h2Y0dWeUxtNXZkbVZzYkM1amIyMHZjbVZ3YjNOcGRHOXllUzloZEhSeWFXSjFkR1Z6TDJObApjblJoZEhSeWMxOTJNVEF1YUhSdE1JSUJTS0FhQVFFQU1BZ3dCZ0lCQVFJQlJqQUlNQVlDQVFFQ0FRb0NBV21oR2dFQkFEQUlNQVlDCkFRRUNBUUF3Q0RBR0FnRUJBZ0VBQWdFQW9nWUNBUmNCQWYramdnRUVvRmdDQVFJQ0FnRC9BZ0VBQXcwQWdBQUFBQUFBQUFBQUFBQUEKQXdrQWdBQUFBQUFBQUFBd0dEQVFBZ0VBQWdoLy8vLy8vLy8vL3dFQkFBSUVCdkRmU0RBWU1CQUNBUUFDQ0gvLy8vLy8vLy8vQVFFQQpBZ1FHOE45SW9WZ0NBUUlDQWdEL0FnRUFBdzBBUUFBQUFBQUFBQUFBQUFBQUF3a0FRQUFBQUFBQUFBQXdHREFRQWdFQUFnaC8vLy8vCi8vLy8vd0VCQUFJRUVmK2sxVEFZTUJBQ0FRQUNDSC8vLy8vLy8vLy9BUUVBQWdRUi82VFZvazR3VEFJQkFnSUJBQUlDQVA4RERRQ0EKQUFBQUFBQUFBQUFBQUFBRENRQ0FBQUFBQUFBQUFEQVNNQkFDQVFBQ0NILy8vLy8vLy8vL0FRRUFNQkl3RUFJQkFBSUlmLy8vLy8vLwovLzhCQVFBd0RRWUpLb1pJaHZjTkFRRUZCUUFEZ2dFQkFGbHluSjdWK0d4ZXJlRk4wWVV1MHdremErRGZ0RzFZRCtXeUJVbG1VZGFWCmhsNkpRL1owdXBjNTRQb0k5VEFUMlRIR2VibE9lMzAyZVNicER2UFlQaUEvMjRPV0VBdUsrVW96WDlEOWc4RDRiTnQ3emFvMTQrb0gKMmVQM2ZZSnJVeG5XeW05RDRuM1FHZGtxMmdKWmdPQmtXN0NSd2U1Y3ltZSs3enRkQkxXRHF5VjZUK1RYT1k0S0U5WS8wcjJScWd0QwpNb0Qxd1hBaTIybTBsN09mSjZOdDJreC9XSXdxYUhmVWZvOUUyQmc2bDBIamNnamlkbVNRR3B1bUpKNzRpOER3VnNpSzRNVVM5ajkvCjhOODZ5SWc1Sm4za1FmNFE3ckQ0VWpldTFmTGxmQWlqM1IxbE8rR2lBU0R2RFd6a3dJZzBHYUpGUVQ0MHNIRGRyM1hGWWJnPQo8L2RzOlg1MDlDZXJ0aWZpY2F0ZT48L2RzOlg1MDlEYXRhPjwvZHM6S2V5SW5mbz48L2RzOlNpZ25hdHVyZT48c2FtbDpTdWJqZWN0PjxzYW1sOk5hbWVJRCBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpuYW1laWQtZm9ybWF0OnBlcnNpc3RlbnQiIE5hbWVRdWFsaWZpZXI9Imh0dHBzOi8vaWRwMTI2LmxhYi5ub3ZlbGwuY29tOjg0NDMvbmlkcC9zYW1sMi9tZXRhZGF0YSIgU1BOYW1lUXVhbGlmaWVyPSJodHRwczovL3dpbmRpZHAubGFiLm5vdmVsbC5jb206ODQ0My9uaWRwL3NhbWwyL21ldGFkYXRhIj5UcTE1VXh6R2J0Y2NqUG12MDRienJ0YUM5S2JiZ2ZHdmNSQkVYdz09PC9zYW1sOk5hbWVJRD48c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uIE1ldGhvZD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNtOmJlYXJlciI%2BPHNhbWw6U3ViamVjdENvbmZpcm1hdGlvbkRhdGEgSW5SZXNwb25zZVRvPSJpZFVPaTZjaC45ME9LWnZmOFhVdlF1MGJOVmtjbyIgTm90T25PckFmdGVyPSIyMDExLTA4LTExVDEzOjMzOjM1WiIgUmVjaXBpZW50PSJodHRwczovL3dpbmRpZHAubGFiLm5vdmVsbC5jb206ODQ0My9uaWRwL3NhbWwyL3NwYXNzZXJ0aW9uX2NvbnN1bWVyIi8%2BPC9zYW1sOlN1YmplY3RDb25maXJtYXRpb24%2BPC9zYW1sOlN1YmplY3Q%2BPHNhbWw6Q29uZGl0aW9ucyBOb3RCZWZvcmU9IjIwMTEtMDgtMTFUMTM6MjM6MzVaIiBOb3RPbk9yQWZ0ZXI9IjIwMTEtMDgtMTFUMTM6MzM6MzVaIj48c2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPjxzYW1sOkF1ZGllbmNlPmh0dHBzOi8vd2luZGlkcC5sYWIubm92ZWxsLmNvbTo4NDQzL25pZHAvc2FtbDIvbWV0YWRhdGE8L3NhbWw6QXVkaWVuY2U%2BPC9zYW1sOkF1ZGllbmNlUmVzdHJpY3Rpb24%2BPC9zYW1sOkNvbmRpdGlvbnM%2BPHNhbWw6QXV0aG5TdGF0ZW1lbnQgQXV0aG5JbnN0YW50PSIyMDExLTA4LTExVDEzOjI4OjM0WiIgU2Vzc2lvbkluZGV4PSJpZFE5VVprNXMybVZHSUpaanBSNGdnRkhGd082cyI%2BPHNhbWw6QXV0aG5Db250ZXh0PjxzYW1sOkF1dGhuQ29udGV4dENsYXNzUmVmPnVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphYzpjbGFzc2VzOlBhc3N3b3JkUHJvdGVjdGVkVHJhbnNwb3J0PC9zYW1sOkF1dGhuQ29udGV4dENsYXNzUmVmPjxzYW1sOkF1dGhuQ29udGV4dERlY2xSZWY%2Bc2VjdXJlL25hbWUvcGFzc3dvcmQvdXJpPC9zYW1sOkF1dGhuQ29udGV4dERlY2xSZWY%2BPC9zYW1sOkF1dGhuQ29udGV4dD48L3NhbWw6QXV0aG5TdGF0ZW1lbnQ%2BPHNhbWw6QXR0cmlidXRlU3RhdGVtZW50PjxzYW1sOkF0dHJpYnV0ZSB4bWxuczp4c2Q9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hIiB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiBOYW1lPSIvVXNlckF0dHJpYnV0ZVtAbGRhcDp0YXJnZXRBdHRyaWJ1dGU9JnF1b3Q7Y24mcXVvdDtdIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OnVuc3BlY2lmaWVkIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHNkOnN0cmluZyI%2BbmNhc2hlbGw8L3NhbWw6QXR0cmlidXRlVmFsdWU%2BPC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgeG1sbnM6eHNkPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgTmFtZT0iR3JlZXRpbmciIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dW5zcGVjaWZpZWQiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4c2Q6c3RyaW5nIj5Ib3dheWE8L3NhbWw6QXR0cmlidXRlVmFsdWU%2BPC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgeG1sbnM6eHNkPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgTmFtZT0ibGRhcG1haWwiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6YmFzaWMiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4c2Q6c3RyaW5nIj5uY2FzaGVsbEBub3ZlbGwuY29tPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU%2BPHNhbWw6QXR0cmlidXRlIHhtbG5zOnhzZD0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIE5hbWU9InJvbGVzIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHNkOnN0cmluZyI%2BZ2Vlazwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHNkOnN0cmluZyI%2BTlRTPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4c2Q6c3RyaW5nIj5hdXRoZW50aWNhdGVkPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU%2BPHNhbWw6QXR0cmlidXRlIHhtbG5zOnhzZD0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIE5hbWU9ImN1c3Rfc3RyaW5nXzEiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dW5zcGVjaWZpZWQiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4c2Q6c3RyaW5nIj5uY2FzaGVsbEBub3ZlbGwuY29tPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU%2BPC9zYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD48L3NhbWw6QXNzZXJ0aW9uPjwvc2FtbHA6UmVzcG9uc2U%2B&RelayState=MA%3D%3D

The SAMLResponse string includes the SAML response from the Identity server, which is typically an assertion about the user. It is possible to cut and paste this data and put it through a:

  1. URL decoder initially (e.g http://www.opinionatedgeek.com/dotnet/tools/urlencode/Decode.aspx), and the output of the URL decoder into a
  2. base64 decoder (http://www.opinionatedgeek.com/dotnet/tools/base64decode/)

to get the contents of the Authentication Response, but this can be time consuming and can also create uneccesary errors.

A new SAML plugin for Firefox exists which has the ability to dump the decoded SAML communication protocol in a separate header, making it faster to troubleshoot and more legible. The plugin is available from https://addons.mozilla.org/en-US/firefox/addon/saml-tracer/ and when installed, provides a ‘SAML Tracer’ option under tools as shown below:

When this option is enabled, a separate Firefox ‘SAML Tracer’ Window opens up and dumps all the HTTP requests in and out of the browser. It specifically scans the data for SAML requests and when identified, the Orange SAML tag is displayed on the right hand side of the request.

In the example below, we have two SAML tags : the first for the Authentication Request from the browser to the SAML2 Identity Server, and the second for the Authentication Response from the SAML2 Identity Server to the SAML2 Service Provider via the browser.

By Selecting the entry with the Orange SAML tag, you will have the option to select the SAML tab in the lower Window to display the contents of the SAML request or response. In the example below, I selected the initial SAML entry in ‘SAML Tracer’ Window, which was the SAML authentication request from my SAML2 Service Provider to the SAML2 Identity Server. CLicking on the SAML tab in the lower Windows displays the content of this SAML AUthnRequest.

The corresponding SAML AUthentication Response including the assertion is shown below – note that the same info is available in the Identity Server log files when the DEBUG mode is set for SAML but for security reasons, we mask out the attribute values. WIth this tool, one can confirm tha actual values being sent with the assertion.

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

Categories: Uncategorized

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

2 Comments

  1. By:jwilleke

    Thanks for the information this will be quite helpful and save a lot of work to get the data via other methods.
    -jim

  2. By:cneeraj

    Neil,

    It’s a very useful tool for troubleshooting and debugging.
    Thanks for sharing this.

    -Neeraj

Comment