I'm creating automated integration tests for SSO process. I'm new with SAML concept and probably my understanding of how it works inaccurate or wrong at all.
We chose to use OneLogin as IdP. Steps to automate:
- User request target resource without credentials. For example
my-api.com/v1/cats
- Verify user has been redirected to
https://{app}.onelogin.com/trust/saml2/http-post/sso/{app-id}?SAMLRequest={request}
- Verify user has been redirected to
- User login to SSO
- Verify user has been redirected to POST
my-api.com/v1/saml/consume
with SAMLResponse inside body - Verify POST
my-api.com/v1/saml/consume
with right SAMLResponse give user service provider token and then redirect to initial url -my-api.com/v1/cats
- Verify user has been redirected to POST
And I'm stuck on step 2: "user login to SSO". I want to do it using onelogin API, not webform. But I didn't find documentation for it. I inspected network calls while I perform login using https://{my-app}.onelogin.com/login
page.
After I fill email and password and click "Login" button
1. POST request to https://{my-app}.onelogin.com/sessions
with form-data authenticity_token={token}&email={email}&password={password}&commit=Log%20in&_=
2. Onelogin redirect user to make GET request to https://{app}.onelogin.com/trust/saml2/http-post/sso/{app-id}?SAMLRequest={request}
(this is initial url generated by our service provider)
3. User redirected to my-api.com/v1/saml/consume
I tried to do POST to https://{my-app}.onelogin.com/sessions
with same body as in step 1 using postman but I retrieve
422: UNPROCESSABLE CHANGES. Maybe you tried to change something you don't have access to.
My question: is it possible to retrieve SAMLResponse using Onelogin API? And is process I described right?