{"id":4394,"date":"2025-03-20T15:20:28","date_gmt":"2025-03-20T15:20:28","guid":{"rendered":"https:\/\/geekmungus.co.uk\/?p=4394"},"modified":"2025-03-20T15:20:29","modified_gmt":"2025-03-20T15:20:29","slug":"saml-request-debugging-and-rewriting","status":"publish","type":"post","link":"https:\/\/geekmungus.co.uk\/?p=4394","title":{"rendered":"SAML Request Debugging and Rewriting"},"content":{"rendered":"\n

Although it may not be useful to most unless you are using the OpenAthens with Shibboleth IdP, I though running through some SAML request debugging which shows how you can take apart a SAML request, rewrite it and then re-encode it to assist in debugging or testing. <\/p>\n\n\n\n

The purpose of this was to test the SAML attributes that were being exposed to sP (service providers) from our new OpenAthens deployment to verify it was working as expected.<\/p>\n\n\n\n

Essentially you’re going through the process of:<\/p>\n\n\n\n

    \n
  1. Initial request<\/li>\n\n\n\n
  2. Decode the URL<\/li>\n\n\n\n
  3. Decode the XML<\/li>\n\n\n\n
  4. Change the XML (to include your new IdP)<\/li>\n\n\n\n
  5. Encode the XML<\/li>\n\n\n\n
  6. Encode the URL<\/li>\n\n\n\n
  7. Make the request (with the modified SAML request)<\/li>\n\n\n\n
  8. Output<\/li>\n<\/ol>\n\n\n\n

    Performing the Tests<\/h1>\n\n\n\n

    Open an incognito or private browser window.<\/p>\n\n\n\n

    Open the Developer Tools, and go to the “network” tab so you are able to see each of the resources (and requests) that are being made.<\/p>\n\n\n\n

    The open Athens IdP Endpoint is at the link: https:\/\/login.openathens.net\/saml\/2\/sso\/domain.com<\/a><\/p>\n\n\n\n

    The new prefix for the modified SAML requests: https:\/\/login.openathens.net\/saml\/2\/sso\/domain.com\/c\/ukfed?SAMLRequest=<\/a><\/p>\n\n\n\n

    Note that i’m hiding the our real IdP name, so using the fake one: idp.domain.com, so you’d need to substitute in your own.<\/p>\n\n\n\n

    Initial Request<\/h2>\n\n\n\n

    First open this page https:\/\/login.openathens.net\/resources\/static\/ssodebug.html<\/a><\/p>\n\n\n\n

    Click the OpenAthens SSO Debug button<\/p>\n\n\n\n

    \"\"<\/figure>\n\n\n\n

    This will set the OpenAthens logon page into Debug Mode, what this means is you’ll see a splash page displaying debug information such as the attribtues that your IdP has released to OpenAthens so you can check what they are.<\/p>\n\n\n\n

    Then open a new tab and go to the UK federation test SP https:\/\/www.ukfederation.org.uk\/content\/Documents\/TestSPHome<\/a><\/p>\n\n\n\n

    Note that you need to be part of the UK Federation, you’ll also need to have statically configured the sP within OpenAthens so you can send requests to that directly.<\/p>\n\n\n\n

    \"\"<\/figure>\n\n\n\n

    Click the link shown in the box https:\/\/test.ukfederation.org.uk\/Shibboleth.sso\/SeamlessAccess<\/a><\/p>\n\n\n\n

    From the list start typing your organisation name, then click on it to take you to your current IdP login, in our example this is Shibboleth IdP which is being retired in favour of OpenAthens backed by OKTA to provide the directory information.<\/p>\n\n\n\n

    At the Shibboleth IdP, don’t log in, instead look into the Developer Tools window, specifically the “Network” tab.<\/p>\n\n\n\n

    \"\"<\/figure>\n\n\n\n

    Then a few parts of the output need to be removed.<\/p>\n\n\n\n

    https://idp.domain.com\/idp\/profile\/SAML2\/Redirect\/SSO?SAMLRequest=hZLNbsIwEIRfJfKdOCRQwCJIKRyKRAsitIdeKsfZgFVjp16nP29fJ1CVXuh1PfOtZ7RT5EdVs6xxB72FtwbQBZ9HpZF1DylprGaGo0Sm%2BRGQOcHy7H7F4jBitTXOCKNIkCGCddLoudHYHMHmYN%2BlgMftKiUH52pklDoPD5vXCkqwvBWHxu79gOYHWRRGgTuEiIa2%2FJhu1vmOBAvvkbpT%2F4JkWYfI9R5syEUL8APqP1NJBWf3FkppQTia52sSLBcpeSnKwaQqbkYTSEbjQiSjJIr5RAwH1XhUlP3SyxAbWGp0XLuUxFE87EVJrz%2FY9YcsGrA4eibB5pz5VupS6v31goqTCNndbrfpnRI9gcUujReQ2bStmXWL7UXx17H8p20y%2B7db0E66rym92HNaWrMHD14uNkZJ8RVkSpmPuQXuICV9Qmcny9%2FTmH0D&RelayState=cookie%3A1741964658_547c<\/code><\/pre>\n\n\n\n
    Remove from the beginning:<\/p>\n\n\n\n
    https://idp.domain.com\/idp\/profile\/SAML2\/Redirect\/SSO?SAMLRequest=<\/code><\/pre>\n\n\n\n
    Remove from the end:<\/p>\n\n\n\n
    &RelayState=cookie%3A1741964658_547c<\/code><\/pre>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    So it looks like this:<\/p>\n\n\n\n
    hZLNbsIwEIRfJfKdOCRQwCJIKRyKRAsitIdeKsfZgFVjp16nP29fJ1CVXuh1PfOtZ7RT5EdVs6xxB72FtwbQBZ9HpZF1DylprGaGo0Sm%2BRGQOcHy7H7F4jBitTXOCKNIkCGCddLoudHYHMHmYN%2BlgMftKiUH52pklDoPD5vXCkqwvBWHxu79gOYHWRRGgTuEiIa2%2FJhu1vmOBAvvkbpT%2F4JkWYfI9R5syEUL8APqP1NJBWf3FkppQTia52sSLBcpeSnKwaQqbkYTSEbjQiSjJIr5RAwH1XhUlP3SyxAbWGp0XLuUxFE87EVJrz%2FY9YcsGrA4eibB5pz5VupS6v31goqTCNndbrfpnRI9gcUujReQ2bStmXWL7UXx17H8p20y%2B7db0E66rym92HNaWrMHD14uNkZJ8RVkSpmPuQXuICV9Qmcny9%2FTmH0D<\/code><\/pre>\n\n\n\n
    Decode The URL<\/h2>\n\n\n\n
    Then in another tab, open the page https:\/\/www.samltool.com\/url.php<\/a> (URL Encode\/Decode) that allows you to decode the URL.<\/p>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    In the URL Decode box paste the above into the data to be URL decoded:<\/p>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    Then click the\u00a0URL DECODE DATA<\/strong>\u00a0button and the following should be outputted.<\/p>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    Then take the output from the right and go to the Base 64 Decode + Inflate link, paste the output into the Deflate and Encoded XML.<\/p>\n\n\n\n
    Decode The XML<\/h2>\n\n\n\n
    Next go to the page https:\/\/www.samltool.com\/decode.php<\/a> (Base 64 Decode + Inflate).<\/p>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    Then click the\u00a0DECODE AND INFLATE XML\u00a0<\/strong>button and the following should be output.<\/p>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    Change The XML<\/h2>\n\n\n\n
    Take the output in the box and replace the following:<\/p>\n\n\n\n
    https://idp.sanger.ac.uk\/idp\/profile\/SAML2\/Redirect\/SSO<\/code><\/pre>\n\n\n\n
    with:<\/p>\n\n\n\n
    https://login.openathens.net\/saml\/2\/sso\/sanger.ac.uk\/c\/ukfed<\/code><\/pre>\n\n\n\n
    After the change it should look something like this:<\/p>\n\n\n\n
    <samlp:AuthnRequest xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" AssertionConsumerServiceURL=\"https:\/\/test.ukfederation.org.uk\/Shibboleth.sso\/SAML2\/POST\" Destination=\"https:\/\/login.openathens.net\/saml\/2\/sso\/domain.com\/c\/ukfed\" ID=\"_bd49fb679e378bc37302a9c54f87bd1d\" IssueInstant=\"2025-03-14T15:04:20Z\" ProtocolBinding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Version=\"2.0\"><saml:Issuer xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\">https:\/\/test.ukfederation.org.uk\/entity<\/saml:Issuer><samlp:NameIDPolicy AllowCreate=\"1\"\/><\/samlp:AuthnRequest>\n<\/code><\/pre>\n\n\n\n
    We are rewriting the request to include the OpenAthens IdP rather than our current IdP to allow us to perform a test.<\/p>\n\n\n\n
    Encode The XML<\/h2>\n\n\n\n
    The click the link https:\/\/www.samltool.com\/encode.php<\/a> (Deflate + Base64 Encode), now you need to paste in your altered XML from the previous step.<\/p>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    Then click the\u00a0DEFLATE\u00a0AND ENCODE XML<\/strong>, which should output the following:<\/p>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    Encode The URL<\/h2>\n\n\n\n
    Next we need to go to the link https:\/\/www.samltool.com\/url.php<\/a> (URL Encode\/Decode) again, but this time we’ll be encoding the data, rather than decoding which we did earlier.<\/p>\n\n\n\n
    Paste the above text into the URL Encode box:<\/p>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    Click the URL ENCODE DATA<\/strong> button.<\/p>\n\n\n\n
    After this has been processed you have your encoded output:<\/p>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    Make The Request<\/h2>\n\n\n\n
    Copy the output and then create the following URL by taking the following:<\/p>\n\n\n\n
    https://login.openathens.net\/saml\/2\/sso\/domain.com\/c\/ukfed?SAMLRequest=<\/code><\/pre>\n\n\n\n
    Append encoded XML to it to create the following URL:<\/p>\n\n\n\n
    ttps:\/\/login.openathens.net\/saml\/2\/sso\/domain.com\/c\/ukfed?SAMLRequest=hZJBU8IwEIX%2FSid3miZQgQztDMJBZlAZQA9enLRdacaS1Gyq8u9NWx3xgtfs2%2B%2Fte5MZymNVi3njSr2FtwbQBZ%2FHSqPoBglprBZGokKh5RFQuFzs5rdrwcNI1NY4k5uKBHNEsE4ZvTAamyPYHdh3lcPDdp2Q0rkaBaXOw8Pm9QUKsLIVh8Ye%2FAPdlSrLTAWuDBENbfmcbu53exIs%2FY7SnfoXVJmD8ss1%2BEEJGkMNjrb3Uk5bAEp9ABvKvIXntLMkwWqZkOeiiKIpH03ZhE2nw%2BwK5GTMh0M%2B5jGbjNjIyxAbWGl0UruE8IjHg2g4YKM9i0XMRBw9kWDzHfxa6ULpw%2BWWsl6E4ma%2F3wz6WI9gsYvkBSSdtbeLztietX8ZK38qJ%2Bm%2FBYN2yp1m9MynN63FnQevlhtTqfwUzKvKfCwsSAcJYYSm%2Fcrf%2F5F%2BAQ%3D%3D<\/code><\/pre>\n\n\n\n
    Open a new browser tab, paste in your edited URL and it should now open the OKTA login page.<\/p>\n\n\n\n
    Sign in and once signed in, the following should be displayed.<\/p>\n\n\n\n
    Output\u00a0<\/h2>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    The output show the attributes that are going to be passed to the application from OpenAthens.<\/p>\n\n\n\n
    If you don’t see the above page then you may not have enabled the SSO debug using the link in Fig A above.<\/p>\n\n\n\n
    If you were to click “Proceed to service” you’d get an error saying that the request signature is invalid, this is because you’ve tampered with the request en-route, but we don’t need to proceed to the service, its the output of this debug screen we are interested in.<\/p>\n","protected":false},"excerpt":{"rendered":"
    Although it may not be useful to most unless you are using the OpenAthens with Shibboleth IdP, I though running through some SAML request debugging which shows how you can take apart a SAML request, rewrite it and then re-encode it to assist in debugging or testing. The purpose of this was to test the … Read more<\/a><\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[35,53,22],"tags":[],"class_list":["post-4394","post","type-post","status-publish","format-standard","hentry","category-okta","category-saml","category-security"],"_links":{"self":[{"href":"https:\/\/geekmungus.co.uk\/index.php?rest_route=\/wp\/v2\/posts\/4394","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/geekmungus.co.uk\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/geekmungus.co.uk\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/geekmungus.co.uk\/index.php?rest_route=\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/geekmungus.co.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4394"}],"version-history":[{"count":1,"href":"https:\/\/geekmungus.co.uk\/index.php?rest_route=\/wp\/v2\/posts\/4394\/revisions"}],"predecessor-version":[{"id":4409,"href":"https:\/\/geekmungus.co.uk\/index.php?rest_route=\/wp\/v2\/posts\/4394\/revisions\/4409"}],"wp:attachment":[{"href":"https:\/\/geekmungus.co.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4394"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/geekmungus.co.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4394"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/geekmungus.co.uk\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4394"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}