Useful Firefox SAML tool for debugging problems
When debugging the most common SAML setups with Novell Access Manager, the Authentication Request and response including the assertion are sent via the browser using the POST or Redirect profile. HTTP header output on the browser can be used to view these SAML request/responses, but the content is both URL and base64 encoded and therefor not very legible. An example output for an Authentication Response including the assertion would look like:
POST /nidp/saml2/spassertion_consumer HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */* Referer: https://idp126.lab.novell.com:8443/nidp/saml2/sso?... Accept-Language: en-US Content-Type: application/x-www-form-urlencoded UA-CPU: x86 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; AskTbFXTV5/5.11.3.15590) Host: windidp.lab.novell.com:8443 Content-Length: 8665 Connection: Keep-Alive Cache-Control: no-cache Cookie: JSESSIONID=B6BF275DCED5C055FFC8E555B8C69B13; bb_lastvisit=1312903696; bb_lastactivity=0; bb_userid=7281; bb_ics_login=true SAMLResponse=PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIENvbnNlbnQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpjb25zZW50Om9idGFpbmVkIiBEZXN0aW5hdGlvbj0iaHR0cHM6Ly93aW5kaWRwLmxhYi5ub3ZlbGwuY29tOjg0NDMvbmlkcC9zYW1sMi9zcGFzc2VydGlvbl9jb25zdW1lciIgSUQ9ImlkMEtMSlJGYWVKQlMwdXZVbkF5OFBRckNmSFpZIiBJblJlc3BvbnNlVG89ImlkVU9pNmNoLjkwT0tadmY4WFV2UXUwYk5Wa2NvIiBJc3N1ZUluc3RhbnQ9IjIwMTEtMDgtMTFUMTM6Mjg6MzVaIiBWZXJzaW9uPSIyLjAiPjxzYW1sOklzc3Vlcj5odHRwczovL2lkcDEyNi5sYWIubm92ZWxsLmNvbTo4NDQzL25pZHAvc2FtbDIvbWV0YWRhdGE8L3NhbWw6SXNzdWVyPjxzYW1scDpTdGF0dXM%2BPHNhbWxwOlN0YXR1c0NvZGUgVmFsdWU9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpzdGF0dXM6U3VjY2VzcyIvPjwvc2FtbHA6U3RhdHVzPjxzYW1sOkFzc2VydGlvbiBJRD0iaWRROVVaazVzMm1WR0lKWmpwUjRnZ0ZIRndPNnMiIElzc3VlSW5zdGFudD0iMjAxMS0wOC0xMVQxMzoyODozNVoiIFZlcnNpb249IjIuMCI%2BPHNhbWw6SXNzdWVyPmh0dHBzOi8vaWRwMTI2LmxhYi5ub3ZlbGwuY29tOjg0NDMvbmlkcC9zYW1sMi9tZXRhZGF0YTwvc2FtbDpJc3N1ZXI%2BPGRzOlNpZ25hdHVyZSB4bWxuczpkcz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI%2BPGRzOlNpZ25lZEluZm8%2BPENhbm9uaWNhbGl6YXRpb25NZXRob2QgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8%2BPGRzOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNyc2Etc2hhMSIvPjxkczpSZWZlcmVuY2UgVVJJPSIjaWRROVVaazVzMm1WR0lKWmpwUjRnZ0ZIRndPNnMiPjxkczpUcmFuc2Zvcm1zPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjZW52ZWxvcGVkLXNpZ25hdHVyZSIvPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz48L2RzOlRyYW5zZm9ybXM%2BPGRzOkRpZ2VzdE1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNzaGExIi8%2BPERpZ2VzdFZhbHVlIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj5IN2xVT3lmNjZwcTcveWJ4ZG9OK3VvZGkrL0k9PC9EaWdlc3RWYWx1ZT48L2RzOlJlZmVyZW5jZT48L2RzOlNpZ25lZEluZm8%2BPFNpZ25hdHVyZVZhbHVlIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj4KUk1MaHZnKzVSekxGQ2s2NFh5RWlCbXBXeUhLNGY0cCt5VWdMRnhUbE8wWnorZUhMdGpJM0QxOXM3aitKNWEvOWFic3d4YUxJR3VDbwpCbTE1MEc2YWJyeGx5eFRxYjQreGVrWFVNTGR3ZkdlK3FrWVczZ3NOYXk4MzZ5THVkQzdMUkJGNS9uQlhPYUhnZ2w2Qm5DcVY2OGh1ClZjUzBtQWhVUGU5a2xySGtNZU09CjwvU2lnbmF0dXJlVmFsdWU%2BPGRzOktleUluZm8%2BPGRzOlg1MDlEYXRhPjxkczpYNTA5Q2VydGlmaWNhdGU%2BCk1JSUUzakNDQThhZ0F3SUJBZ0lrQWh3Ui82VFZCWEZLa2g3eDdWRnpCYVA2MjVUWXhjdm5xVVd0OVorZUFnSVBpeDd0TUEwR0NTcUcKU0liM0RRRUJCUVVBTURZeEdqQVlCZ05WQkFzVEVVOXlaMkZ1YVhwaGRHbHZibUZzSUVOQk1SZ3dGZ1lEVlFRS0ZBOXZjbU5vWDJodgpjM1F6WDNSeVpXVXdIaGNOTVRBeE1ESTRNVEV6T1RBd1doY05NVE14TURJNE1USXpPVEF3V2pCck1Sa3dGd1lEVlFRREZCQXFMbXhoCllpNXViM1psYkd3dVkyOXRNUXd3Q2dZRFZRUUxFd05PVkZNeER6QU5CZ05WQkFvVEJrNXZkbVZzYkRFUk1BOEdBMVVFQnhNSVRXRnMKWVdocFpHVXhEekFOQmdOVkJBZ1RCa1IxWW14cGJqRUxNQWtHQTFVRUJoTUNTVVV3Z1o4d0RRWUpLb1pJaHZjTkFRRUJCUUFEZ1kwQQpNSUdKQW9HQkFNR1E1cWZDSW51TEVPTG1mRllsanpuYW5lZGIyQklvVUFlUWJyR3JENk80dHZGQjFka3VwK2YxYW9zVEtFb01Vd25FCmdWU09od0duQWczbnhwaVJxNFAxSVlWeVNYVk5ac0pVNFFHSjUvMkphZnUxOG1EdWtBcFlOaTl4cWZMQUtvM1EwZjNOb3V5aVVudDcKTWNYaXJNUzY2dGVpemdBdzduU2xKMWRwTlhvOUFnTUJBQUdqZ2dJaE1JSUNIVEFkQmdOVkhRNEVGZ1FVMTRwMjBoZGlGZVQyVW1VbQpoOUNjYVVLMmlGWXdId1lEVlIwakJCZ3dGb0FVSi8yTzRNbFFRRWtIQVIyV1gwbnB2cjdnWllzd0N3WURWUjBQQkFRREFnU3dNSUlCCnpBWUxZSVpJQVliNE53RUpCQUVFZ2dHN01JSUJ0d1FDQVFBQkFmOFRIVTV2ZG1Wc2JDQlRaV04xY21sMGVTQkJkSFJ5YVdKMWRHVW8KZEcwcEZrTm9kSFJ3T2k4dlpHVjJaV3h2Y0dWeUxtNXZkbVZzYkM1amIyMHZjbVZ3YjNOcGRHOXllUzloZEhSeWFXSjFkR1Z6TDJObApjblJoZEhSeWMxOTJNVEF1YUhSdE1JSUJTS0FhQVFFQU1BZ3dCZ0lCQVFJQlJqQUlNQVlDQVFFQ0FRb0NBV21oR2dFQkFEQUlNQVlDCkFRRUNBUUF3Q0RBR0FnRUJBZ0VBQWdFQW9nWUNBUmNCQWYramdnRUVvRmdDQVFJQ0FnRC9BZ0VBQXcwQWdBQUFBQUFBQUFBQUFBQUEKQXdrQWdBQUFBQUFBQUFBd0dEQVFBZ0VBQWdoLy8vLy8vLy8vL3dFQkFBSUVCdkRmU0RBWU1CQUNBUUFDQ0gvLy8vLy8vLy8vQVFFQQpBZ1FHOE45SW9WZ0NBUUlDQWdEL0FnRUFBdzBBUUFBQUFBQUFBQUFBQUFBQUF3a0FRQUFBQUFBQUFBQXdHREFRQWdFQUFnaC8vLy8vCi8vLy8vd0VCQUFJRUVmK2sxVEFZTUJBQ0FRQUNDSC8vLy8vLy8vLy9BUUVBQWdRUi82VFZvazR3VEFJQkFnSUJBQUlDQVA4RERRQ0EKQUFBQUFBQUFBQUFBQUFBRENRQ0FBQUFBQUFBQUFEQVNNQkFDQVFBQ0NILy8vLy8vLy8vL0FRRUFNQkl3RUFJQkFBSUlmLy8vLy8vLwovLzhCQVFBd0RRWUpLb1pJaHZjTkFRRUZCUUFEZ2dFQkFGbHluSjdWK0d4ZXJlRk4wWVV1MHdremErRGZ0RzFZRCtXeUJVbG1VZGFWCmhsNkpRL1owdXBjNTRQb0k5VEFUMlRIR2VibE9lMzAyZVNicER2UFlQaUEvMjRPV0VBdUsrVW96WDlEOWc4RDRiTnQ3emFvMTQrb0gKMmVQM2ZZSnJVeG5XeW05RDRuM1FHZGtxMmdKWmdPQmtXN0NSd2U1Y3ltZSs3enRkQkxXRHF5VjZUK1RYT1k0S0U5WS8wcjJScWd0QwpNb0Qxd1hBaTIybTBsN09mSjZOdDJreC9XSXdxYUhmVWZvOUUyQmc2bDBIamNnamlkbVNRR3B1bUpKNzRpOER3VnNpSzRNVVM5ajkvCjhOODZ5SWc1Sm4za1FmNFE3ckQ0VWpldTFmTGxmQWlqM1IxbE8rR2lBU0R2RFd6a3dJZzBHYUpGUVQ0MHNIRGRyM1hGWWJnPQo8L2RzOlg1MDlDZXJ0aWZpY2F0ZT48L2RzOlg1MDlEYXRhPjwvZHM6S2V5SW5mbz48L2RzOlNpZ25hdHVyZT48c2FtbDpTdWJqZWN0PjxzYW1sOk5hbWVJRCBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpuYW1laWQtZm9ybWF0OnBlcnNpc3RlbnQiIE5hbWVRdWFsaWZpZXI9Imh0dHBzOi8vaWRwMTI2LmxhYi5ub3ZlbGwuY29tOjg0NDMvbmlkcC9zYW1sMi9tZXRhZGF0YSIgU1BOYW1lUXVhbGlmaWVyPSJodHRwczovL3dpbmRpZHAubGFiLm5vdmVsbC5jb206ODQ0My9uaWRwL3NhbWwyL21ldGFkYXRhIj5UcTE1VXh6R2J0Y2NqUG12MDRienJ0YUM5S2JiZ2ZHdmNSQkVYdz09PC9zYW1sOk5hbWVJRD48c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uIE1ldGhvZD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNtOmJlYXJlciI%2BPHNhbWw6U3ViamVjdENvbmZpcm1hdGlvbkRhdGEgSW5SZXNwb25zZVRvPSJpZFVPaTZjaC45ME9LWnZmOFhVdlF1MGJOVmtjbyIgTm90T25PckFmdGVyPSIyMDExLTA4LTExVDEzOjMzOjM1WiIgUmVjaXBpZW50PSJodHRwczovL3dpbmRpZHAubGFiLm5vdmVsbC5jb206ODQ0My9uaWRwL3NhbWwyL3NwYXNzZXJ0aW9uX2NvbnN1bWVyIi8%2BPC9zYW1sOlN1YmplY3RDb25maXJtYXRpb24%2BPC9zYW1sOlN1YmplY3Q%2BPHNhbWw6Q29uZGl0aW9ucyBOb3RCZWZvcmU9IjIwMTEtMDgtMTFUMTM6MjM6MzVaIiBOb3RPbk9yQWZ0ZXI9IjIwMTEtMDgtMTFUMTM6MzM6MzVaIj48c2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPjxzYW1sOkF1ZGllbmNlPmh0dHBzOi8vd2luZGlkcC5sYWIubm92ZWxsLmNvbTo4NDQzL25pZHAvc2FtbDIvbWV0YWRhdGE8L3NhbWw6QXVkaWVuY2U%2BPC9zYW1sOkF1ZGllbmNlUmVzdHJpY3Rpb24%2BPC9zYW1sOkNvbmRpdGlvbnM%2BPHNhbWw6QXV0aG5TdGF0ZW1lbnQgQXV0aG5JbnN0YW50PSIyMDExLTA4LTExVDEzOjI4OjM0WiIgU2Vzc2lvbkluZGV4PSJpZFE5VVprNXMybVZHSUpaanBSNGdnRkhGd082cyI%2BPHNhbWw6QXV0aG5Db250ZXh0PjxzYW1sOkF1dGhuQ29udGV4dENsYXNzUmVmPnVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphYzpjbGFzc2VzOlBhc3N3b3JkUHJvdGVjdGVkVHJhbnNwb3J0PC9zYW1sOkF1dGhuQ29udGV4dENsYXNzUmVmPjxzYW1sOkF1dGhuQ29udGV4dERlY2xSZWY%2Bc2VjdXJlL25hbWUvcGFzc3dvcmQvdXJpPC9zYW1sOkF1dGhuQ29udGV4dERlY2xSZWY%2BPC9zYW1sOkF1dGhuQ29udGV4dD48L3NhbWw6QXV0aG5TdGF0ZW1lbnQ%2BPHNhbWw6QXR0cmlidXRlU3RhdGVtZW50PjxzYW1sOkF0dHJpYnV0ZSB4bWxuczp4c2Q9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hIiB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiBOYW1lPSIvVXNlckF0dHJpYnV0ZVtAbGRhcDp0YXJnZXRBdHRyaWJ1dGU9JnF1b3Q7Y24mcXVvdDtdIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OnVuc3BlY2lmaWVkIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHNkOnN0cmluZyI%2BbmNhc2hlbGw8L3NhbWw6QXR0cmlidXRlVmFsdWU%2BPC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgeG1sbnM6eHNkPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgTmFtZT0iR3JlZXRpbmciIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dW5zcGVjaWZpZWQiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4c2Q6c3RyaW5nIj5Ib3dheWE8L3NhbWw6QXR0cmlidXRlVmFsdWU%2BPC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgeG1sbnM6eHNkPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgTmFtZT0ibGRhcG1haWwiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6YmFzaWMiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4c2Q6c3RyaW5nIj5uY2FzaGVsbEBub3ZlbGwuY29tPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU%2BPHNhbWw6QXR0cmlidXRlIHhtbG5zOnhzZD0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIE5hbWU9InJvbGVzIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHNkOnN0cmluZyI%2BZ2Vlazwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHNkOnN0cmluZyI%2BTlRTPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4c2Q6c3RyaW5nIj5hdXRoZW50aWNhdGVkPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU%2BPHNhbWw6QXR0cmlidXRlIHhtbG5zOnhzZD0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIE5hbWU9ImN1c3Rfc3RyaW5nXzEiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dW5zcGVjaWZpZWQiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4c2Q6c3RyaW5nIj5uY2FzaGVsbEBub3ZlbGwuY29tPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU%2BPC9zYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD48L3NhbWw6QXNzZXJ0aW9uPjwvc2FtbHA6UmVzcG9uc2U%2B&RelayState=MA%3D%3D
The SAMLResponse string includes the SAML response from the Identity server, which is typically an assertion about the user. It is possible to cut and paste this data and put it through a:
- URL decoder initially (e.g http://www.opinionatedgeek.com/dotnet/tools/urlencode/Decode.aspx), and the output of the URL decoder into a
- base64 decoder (http://www.opinionatedgeek.com/dotnet/tools/base64decode/)
to get the contents of the Authentication Response, but this can be time consuming and can also create uneccesary errors.
A new SAML plugin for Firefox exists which has the ability to dump the decoded SAML communication protocol in a separate header, making it faster to troubleshoot and more legible. The plugin is available from https://addons.mozilla.org/en-US/firefox/addon/saml-tracer/ and when installed, provides a 'SAML Tracer' option under tools as shown below:
When this option is enabled, a separate Firefox 'SAML Tracer' Window opens up and dumps all the HTTP requests in and out of the browser. It specifically scans the data for SAML requests and when identified, the Orange SAML tag is displayed on the right hand side of the request.
In the example below, we have two SAML tags : the first for the Authentication Request from the browser to the SAML2 Identity Server, and the second for the Authentication Response from the SAML2 Identity Server to the SAML2 Service Provider via the browser.
By Selecting the entry with the Orange SAML tag, you will have the option to select the SAML tab in the lower Window to display the contents of the SAML request or response. In the example below, I selected the initial SAML entry in 'SAML Tracer' Window, which was the SAML authentication request from my SAML2 Service Provider to the SAML2 Identity Server. CLicking on the SAML tab in the lower Windows displays the content of this SAML AUthnRequest.
The corresponding SAML AUthentication Response including the assertion is shown below - note that the same info is available in the Identity Server log files when the DEBUG mode is set for SAML but for security reasons, we mask out the attribute values. WIth this tool, one can confirm tha actual values being sent with the assertion.
