Download "Troubleshooting Federation with Fiddler"




By clicking Submit, you consent for us to use your personal data for sales and marketing efforts. If this is unacceptable, please contact us via telephone.


Tags

  • The database in which all of your organization’s sensitive identity data is stored.
  • A digital ledger in which digital transactions are recorded chronologically and publicly.
  • Securely managing customer identity and profile data, and controlling customer access to applications and services.
  • The means of linking a person's electronic identity and attributes, stored across multiple distinct identity management systems.
  • A legal framework that sets guidelines for the collection and processing of personal information of individuals within the EU.
  • The policy-based centralized orchestration of user identity management and access control.
  • An authentication infrastructure that is built, hosted and managed by a third-party service provider.
  • A security system that requires more than one method of authentication from independent categories of credentials to verify the user's identity for a login or other transaction.
  • A global provider of innovative and affordable identity access management solutions. 
  • Managing and auditing account and data access by privileged users.
  • Tools and technologies for controlling user access to critical information within an organization.
  • An authentication process that allows a user to access multiple applications with one set of login credentials.
07.17.2018

Troubleshooting Federation with Fiddler

Part 2 of 3 – Debug SAML 2.0 Federation Issues

In part one of our series on “Troubleshooting Federation with Fiddler”, we covered how to use Fiddler to debug WS-Federation issues. In part two we will cover how to use Fiddler to debug SAML 2.0 federation issues.

The basic flow of SAML 2.0  is:

  • The user requests an access to a relying party
  • The user is redirected to the Identity Provider (IdP) with a SAML 2.0 authentication request
  • The user then authenticates at the IdP
  • A SAML 2.0 authentication response is then posted to the relying party

While the basic flow is the same as WS-Federation, SAML 2.0 is much more complicated, because the authentication request is an XML document rather and URL parameters. Also, SAML 2.0 supports different methods of transporting the authentication request and response. These methods are called “Bindings”. The three most common bindings are POST, Redirect, and Artifact. The most common combination is for the authentication request to be passed using the Redirect Binding and the response is returned using the POST Binding.

If you get an error on the authentication request to the IdP, capture a Fiddler trace reproducing the issue. Then look for a GET request to the IdP with the following URL parameters shown below:

  • SAMLRequest – encoded SAML 2.0 Authentication Request XML
  • SigAlg – XML Digital Signature Algorithm (optional)
  • Signature – XML Digital Signature (optional)

Unlike WS-Fedation, the SAML 2.0 authentication request is an XML document that is compressed and encoded. Fortunately, Fiddler can easily decode this for you and show you the XML document. Simply right click on the SAMLRequest value and select “Send to TextWizard.” That will bring up the Fiddler TextWizard window. If you don’t see XML make sure the Transform: drop down in the middle is set to “From DeflatedSAML”.

How to debug SAML 2.0 federation issues with Fiddler

Check the following:

  • Make sure the request Issuer value matches the relying party URI configured in the IdP.
  • Make sure the Destination attribute matches the IdP SSO endpoint.

The SAML 2.0 response is an HTTP POST request with the following form data. You can see the form data by selecting the line in the request list and then going to the Inspectors -> Web Forms tab.  The form data for the SAML 2.0 authentication response are:

  • SAMLResponse – encoded SAML 2.0 response

The SAML2Response is base64 encoded. Fiddler can easily decode this for you and show you the XML document. Simply right click on the SAMLResponse value and select “Send to TextWizard …” That will bring up the Fiddler TextWizard window. If you don’t see XML make sure the Transform: drop down in the middle is set to “From Base64”.

How to troubleshooting SAML 2.0 with Fiddler

From the SAML 2.0 response XML validate the following:

  • Make sure the IdP URI matches the value configured on the relying party. This value can be found in the SAML 2.0 response XML Issuer element.
  • Make sure the signing certificate matches the signing certificate configured on the relying party. The signing certificate can found in the Response XML in the Certificate element under the Signature element.
  • Make sure the assertion audience matches the relying party URI. The assertion audience can be found in the Audience element of the assertion.

In the third and final installment of our Fiddler series, we will cover how to use Fiddler to debug Oauth2 and OpenID Connect federation issues. To learn more how Optimal IdM can help with your authorization and authentication issues, contact us today.