Part 2 of 3 – Debug SAML 2.0 Federation Issues
In part one of our series on “Troubleshooting Federation with Fiddler”, we covered how to use Fiddler to debug WS-Federation issues. In part two we will cover how to use Fiddler to debug SAML 2.0 federation issues.
The basic flow of SAML 2.0 is:
- The user requests an access to a relying party
- The user is redirected to the Identity Provider (IdP) with a SAML 2.0 authentication request
- The user then authenticates at the IdP
- A SAML 2.0 authentication response is then posted to the relying party
While the basic flow is the same as WS-Federation, SAML 2.0 is much more complicated, because the authentication request is an XML document rather and URL parameters. Also, SAML 2.0 supports different methods of transporting the authentication request and response. These methods are called “Bindings”. The three most common bindings are POST, Redirect, and Artifact. The most common combination is for the authentication request to be passed using the Redirect Binding and the response is returned using the POST Binding.
If you get an error on the authentication request to the IdP, capture a Fiddler trace reproducing the issue. Then look for a GET request to the IdP with the following URL parameters shown below:
- SAMLRequest – encoded SAML 2.0 Authentication Request XML
- SigAlg – XML Digital Signature Algorithm (optional)
- Signature – XML Digital Signature (optional)
Unlike WS-Fedation, the SAML 2.0 authentication request is an XML document that is compressed and encoded. Fortunately, Fiddler can easily decode this for you and show you the XML document. Simply right click on the SAMLRequest value and select “Send to TextWizard.” That will bring up the Fiddler TextWizard window. If you don’t see XML make sure the Transform: drop down in the middle is set to “From DeflatedSAML”.
Check the following:
- Make sure the request Issuer value matches the relying party URI configured in the IdP.
- Make sure the Destination attribute matches the IdP SSO endpoint.
The SAML 2.0 response is an HTTP POST request with the following form data. You can see the form data by selecting the line in the request list and then going to the Inspectors -> Web Forms tab. The form data for the SAML 2.0 authentication response are:
- SAMLResponse – encoded SAML 2.0 response
The SAML2Response is base64 encoded. Fiddler can easily decode this for you and show you the XML document. Simply right click on the SAMLResponse value and select “Send to TextWizard …” That will bring up the Fiddler TextWizard window. If you don’t see XML make sure the Transform: drop down in the middle is set to “From Base64”.
From the SAML 2.0 response XML validate the following:
- Make sure the IdP URI matches the value configured on the relying party. This value can be found in the SAML 2.0 response XML Issuer element.
- Make sure the signing certificate matches the signing certificate configured on the relying party. The signing certificate can found in the Response XML in the Certificate element under the Signature element.
- Make sure the assertion audience matches the relying party URI. The assertion audience can be found in the Audience element of the assertion.
In the third and final installment of our Fiddler series, we will cover how to use Fiddler to debug Oauth2 and OpenID Connect federation issues. To learn more how Optimal IdM can help with your authorization and authentication issues, contact us today.