I am using WSO2 Identity Server 4.1.0. I have successfully followed the steps described here (thank you) to get a local SAML2 consumer to work with a local WSO2 Identity Server.
The steps mentioned above describe using a Tomcat webapp to 'call' the login page of the WSO2 Identity server, using a SAML request. The webapp will also receive a SAML response. The webapp has to generate this SAML request, so that it contains a valid issuer, timestamp, etc. Without this request, the Identity Server will not provide a login page. So actually, the request is a sort of preperation. The SAML request is encoded.
My aim is to get a better understand of the way in which this webapp is composing the initial SAML request. I was only able to see the request, after using SAML debugger. How can I view this SAML request manually, using decoders?
What I have learned so far:
- I have learned here that we can use SAML 2.0 Debugger to decode or encode the saml requests and responses. But I would like to how and what is getting encoded / decoded.
- I have learned here that a URL decoder and Base64 decode might be needed. So I was able to URL decode the
/samlsso?SAMLRequest. It contained an encodedassertionString. I was not able to Base64 decode this string.
Request HTTP Header: This request is send to the WSO2 Identity Server.
https://localhost:9443/samlsso
POST /samlsso HTTP/1.1
Host: localhost:9443
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: nl,en-us;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: https://localhost:9443/samlsso?SAMLRequest=jZPBbtswDIZfRdA9seO0WyzEKbIUxQx0m5u4O%2BymyswiQJY8kU6zt5%2Fs2GsORdCrSP7k%2F5Fa3p1qw47gUTub8dk05gyscpW2vzP%2BXD5MFvxutURZm0asWzrYLfxpAYmFOouiD2S89VY4iRqFlTWgICV262%2BPIpnGovGOnHKGszUieAqNNs5iW4PfgT9qBc%2Fbx4wfiBoRRcYpaQ4OSSziRRx1%2Bsm0gtpFaigKOkRev7QEZ50w6iCU2wpOwUUyT5Ob2%2FQm5ezBeQX94BnfS4PAWX6f8WAzx0Ii6iO8BRDboIEkLWU8iWfzSfx5EidlnIp5Ima300%2Bz9BdnxeDoi7ZnTtfsv5yTUHwty2JS%2FNiVnP0ceYcEPtLtu%2FuPc5UjTb56o7SMLsVG6e%2BhOL8vnNHqL1sb4143HiQF5%2BRb6CHVkq636150Ndn3qaLpHCCBJc52Raf%2F1Eqj9xp8xvNuMh6N3YeLgapfQ9gZwYnYxtWN9Bo7DHCSigYQ4jJrY4LLLewvqHwYytU0JVQnHZ67I3h1vuqWCipMWXppsXGezizfnWc1cn7X2%2F%2Fo5YdZ%2FQM%3D&RelayState=null
Cookie: MSG13721655096400.5456646701125957=true; MSG13721655827030.13073174051588388=true; MSG13721677790000.949325276640498=true; menuPanel=visible; menuPanelType=main; current-breadcrumb=manage_menu%2Cmanage_saml_sso%23; requestedURI=../../carbon/admin/index.jsp; Modernizr=; JSESSIONID=E4B3DB007762167497588E63D2C396F6; MSG13727573306230.10612530425878663=true; region1_manage_menu=visible; ssoTokenId=E4B3DB007762167497588E63D2C396F6
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 806
username=admin&assertnConsumerURL=http%3A%2F%2Flocalhost%3A8080%2Fsaml2.demo%2Fconsumer&issuer=saml2.demo&id=0&subject=null&relyingPartySessionId=null&assertionString=jZPBbtswDIZfRdA9seO0WyzEKbIUxQx0m5u4O%2BymyswiQJY8kU6zt5%2Fs2GsORdCrSP7k%2F5Fa3p1qw47gUTub8dk05gyscpW2vzP%2BXD5MFvxutURZm0asWzrYLfxpAYmFOouiD2S89VY4iRqFlTWgICV262%2BPIpnGovGOnHKGszUieAqNNs5iW4PfgT9qBc%2Fbx4wfiBoRRcYpaQ4OSSziRRx1%2Bsm0gtpFaigKOkRev7QEZ50w6iCU2wpOwUUyT5Ob2%2FQm5ezBeQX94BnfS4PAWX6f8WAzx0Ii6iO8BRDboIEkLWU8iWfzSfx5EidlnIp5Ima300%2Bz9BdnxeDoi7ZnTtfsv5yTUHwty2JS%2FNiVnP0ceYcEPtLtu%2FuPc5UjTb56o7SMLsVG6e%2BhOL8vnNHqL1sb4143HiQF5%2BRb6CHVkq636150Ndn3qaLpHCCBJc52Raf%2F1Eqj9xp8xvNuMh6N3YeLgapfQ9gZwYnYxtWN9Bo7DHCSigYQ4jJrY4LLLewvqHwYytU0JVQnHZ67I3h1vuqWCipMWXppsXGezizfnWc1cn7X2%2F%2Fo5YdZ%2FQM%3D&RelayState=null&password=admin
HTTP/1.1 200 OK
Set-Cookie: ssoTokenId=E4B3DB007762167497588E63D2C396F6; Expires=Tue, 02-Jul-2013 19:32:45 GMT
Content-Type: text/html;charset=UTF-8
Transfer-Encoding: chunked
Content-Encoding: gzip
Vary: Accept-Encoding
Date: Tue, 02 Jul 2013 09:32:45 GMT
Server: WSO2 Carbon Server
The 'referer' in the request above contains a SAML request, that was made visible by the SAML Debugger.
<?xml version="1.0" encoding="UTF-8"?>
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="http://localhost:8080/saml2.demo/consumer" AttributeConsumingServiceIndex="1239245949" ForceAuthn="false" ID="0" IsPassive="false" IssueInstant="2013-07-02T09:32:15.619Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0">
<samlp:Issuer xmlns:samlp="urn:oasis:names:tc:SAML:2.0:assertion">saml2.demo</samlp:Issuer>
<samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" SPNameQualifier="Isser"/>
<samlp:RequestedAuthnContext Comparison="exact">
<saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>
</samlp:AuthnRequest>
(It seems it is not the full SAML request yet, and that the WSO2 IS is composing the complete SAML Request internally.)
Response HTTP Header: This is the response received from the WSO2 Identity Server.
http://localhost:8080/saml2.demo/consumer
POST /saml2.demo/consumer HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: nl,en-us;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: JSESSIONID=E078F376C8ED303D28A200DD7AC28324; MSG13721655096400.5456646701125957=true; MSG13721655827030.13073174051588388=true; MSG13721677790000.949325276640498=true; menuPanel=visible; menuPanelType=main; current-breadcrumb=manage_menu%2Cmanage_saml_sso%23; requestedURI=../../carbon/admin/index.jsp; Modernizr=; MSG13727573306230.10612530425878663=true; region1_manage_menu=visible; ssoTokenId=E4B3DB007762167497588E63D2C396F6
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 1870
SAMLResponse=%3C%3Fxml+version%3D%221.0%22+encoding%3D%22UTF-8%22%3F%3E%0D%0A%3Csaml2p%3AResponse+ID%3D%22dnfomflkhhdjjgfoggoagcdopgnjmpajenlehbka%22+IssueInstant%3D%222013-07-02T09%3A32%3A45.635Z%22+Version%3D%222.0%22+xmlns%3Asaml2p%3D%22urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Aprotocol%22%3E%3Csaml2p%3AStatus%3E%3Csaml2p%3AStatusCode+Value%3D%22urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Astatus%3ASuccess%22%2F%3E%3C%2Fsaml2p%3AStatus%3E%3Csaml2%3AAssertion+ID%3D%22dgamkdkadflnniggkelmjfakjljedhfdhnbpomdk%22+IssueInstant%3D%222013-07-02T09%3A32%3A45.635Z%22+Version%3D%222.0%22+xmlns%3Asaml2%3D%22urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Aassertion%22%3E%3Csaml2%3AIssuer+Format%3D%22urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Anameid-format%3Aentity%22%3Ehttps%3A%2F%2Flocalhost%3A9443%2Fsamlsso%3C%2Fsaml2%3AIssuer%3E%3Csaml2%3ASubject%3E%3Csaml2%3ANameID%3Eadmin%3C%2Fsaml2%3ANameID%3E%3Csaml2%3ASubjectConfirmation+Method%3D%22urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Acm%3Abearer%22%3E%3Csaml2%3ASubjectConfirmationData+InResponseTo%3D%220%22+NotOnOrAfter%3D%222013-07-02T09%3A37%3A45.635Z%22+Recipient%3D%22http%3A%2F%2Flocalhost%3A8080%2Fsaml2.demo%2Fconsumer%22%2F%3E%3C%2Fsaml2%3ASubjectConfirmation%3E%3C%2Fsaml2%3ASubject%3E%3Csaml2%3AConditions+NotBefore%3D%222013-07-02T09%3A32%3A45.635Z%22+NotOnOrAfter%3D%222013-07-02T09%3A37%3A45.635Z%22%3E%3Csaml2%3AAudienceRestriction%3E%3Csaml2%3AAudience%3Esaml2.demo%3C%2Fsaml2%3AAudience%3E%3C%2Fsaml2%3AAudienceRestriction%3E%3C%2Fsaml2%3AConditions%3E%3Csaml2%3AAuthnStatement+AuthnInstant%3D%222013-07-02T09%3A32%3A45.635Z%22%3E%3Csaml2%3AAuthnContext%3E%3Csaml2%3AAuthnContextClassRef%3Eurn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Aac%3Aclasses%3APassword%3C%2Fsaml2%3AAuthnContextClassRef%3E%3C%2Fsaml2%3AAuthnContext%3E%3C%2Fsaml2%3AAuthnStatement%3E%3C%2Fsaml2%3AAssertion%3E%3C%2Fsaml2p%3AResponse%3E&RelayState=null
HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
Location: http://localhost:8080/saml2.demo/home.jsp?subject=admin
Content-Length: 0
Date: Tue, 02 Jul 2013 09:32:47 GMT
Here the SAMLResponse can be made visible by using a URL Decoder, for example this one.
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:Response ID="dnfomflkhhdjjgfoggoagcdopgnjmpajenlehbka" IssueInstant="2013-07-02T09:32:45.635Z" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</saml2p:Status>
<saml2:Assertion ID="dgamkdkadflnniggkelmjfakjljedhfdhnbpomdk" IssueInstant="2013-07-02T09:32:45.635Z" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://localhost:9443/samlsso</saml2:Issuer>
<saml2:Subject>
<saml2:NameID>admin</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData InResponseTo="0" NotOnOrAfter="2013-07-02T09:37:45.635Z" Recipient="http://localhost:8080/saml2.demo/consumer"/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2013-07-02T09:32:45.635Z" NotOnOrAfter="2013-07-02T09:37:45.635Z">
<saml2:AudienceRestriction>
<saml2:Audience>saml2.demo</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2013-07-02T09:32:45.635Z">
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
</saml2:Assertion>
</saml2p:Response>
