When you try to configure SAML2 based Web SSO, did you ever hoped is there an easy way to identify what you have missed or did wrong in either in the Identity Provider (IdP) side or Service Provider (SP) side? Then you should try the SAML Toolkit feature which comes with WSO2 Identity Server 5.0.0.
- SAML2 Request Validator - user can validate SP initiated SAML2 AuthnRequest
- SAML2 Response Builder - user can generate SAML2 response for a selected SAML2 Web SSO configuration
Lets try this tool,
First you need to download the WSO2 Identity Server 5.0.0 and follow the "Getting Started" section to run the product. If you have followed the instructions correctly you should be able to access the server using the URL https://localhost:9443/carbon.
Once you have logged to the server, you can find the required tools under Main > Tools > SAML.
 |
| Figure 1: SAML Toolkit Section |
SAML Request Validator
Once you clicked the "SAML Request Validator" link, following view will appear,
 | ||||
| Figure 2: SAML2 Request Validator UI |
Before starting the validation it is required to specify request binding which SP has initiated. This may be either HTTP POST or HTTP Redirect. You can specify this in your SP side configuration.
Then you have to provide the SAML2 Request. For HTTP POST binding you can extract the request using a Firefox add-on like SAML Tracer or using inbuilt developer tools in most of the web browsers. Both cases you can find the SAML Request as "SAMLRequest=IZfhfReBEadHHLl...." inside the form data. So copy and paste only the encoded request (without "SAMLRequest=" part) to the given text area.
As the Issuer can be extracted from the SAML request there is no need to specify SAML Web SSO configuration which is required to do the validation. Toolkit will automatically select the appropriate configuration using the issuer value.
Finally use "Validate" button to get the validation results. Results will be displayed as steps indicating the request has passed or failed that specific step,
Using this information user can identify the exact place he need look in the configuration and fix it using the expected value.
SAML Response Builder
Clicking on the "SAML Response Builder" in Figure 1 will give you the following view,
This feature allows you to build a valid response against a selected SAML2 Web SSO configuration. All the Issuers which are available in configurations listed here in the Issuer drop down. So you can select the required configuration by selecting the Issuer. User name also required to get the user profile which will be used during the response generation.
When you click the "Generate" button, Response Builder will generate the response using provided data and display it in both XML and in encoded format as follows.
The user can verify the configuration from the returned response, by looking at the XML. Also some web sites like Salesforce provides the facility to validate the encoded response against SP configuration. So you can use the returned encoded response there to identify the issues in configuration. By using the information provided by this tool user can modify the configuration in Idp side or SP side accordingly to get the desired result.
If the used binding is HTTP Redirect, you can also get the SAML Request from the developer tools. But here you have to copy the URL instead of encoded request. This is required because parameters like "SigAlg" and "Signature" which are used in the validation are also included in the URL. The URL should have a similar format to
"https://localhost:9443/samlsso?SAMLRequest=jZLRjqowEIZfhfReBEXRR...".
"https://localhost:9443/samlsso?SAMLRequest=jZLRjqowEIZfhfReBEXRR...".
As the Issuer can be extracted from the SAML request there is no need to specify SAML Web SSO configuration which is required to do the validation. Toolkit will automatically select the appropriate configuration using the issuer value.
Finally use "Validate" button to get the validation results. Results will be displayed as steps indicating the request has passed or failed that specific step,
 | ||
| Figure 3: Results After Validation |
Using this information user can identify the exact place he need look in the configuration and fix it using the expected value.
SAML Response Builder
Clicking on the "SAML Response Builder" in Figure 1 will give you the following view,
 |
| Figure 4: SAML Response Builder View |
This feature allows you to build a valid response against a selected SAML2 Web SSO configuration. All the Issuers which are available in configurations listed here in the Issuer drop down. So you can select the required configuration by selecting the Issuer. User name also required to get the user profile which will be used during the response generation.
When you click the "Generate" button, Response Builder will generate the response using provided data and display it in both XML and in encoded format as follows.
The user can verify the configuration from the returned response, by looking at the XML. Also some web sites like Salesforce provides the facility to validate the encoded response against SP configuration. So you can use the returned encoded response there to identify the issues in configuration. By using the information provided by this tool user can modify the configuration in Idp side or SP side accordingly to get the desired result.
Comments
Post a Comment