How to query decoded SAML response in Shbboleth SP version 3.0.1
Kannan, Satheesh (ELS-CON)
s.kannan.1 at elsevier.com
Thu Oct 21 14:04:37 UTC 2021
Thanks Peter, for your suggestion.
On the Service provider end, I was looking to display decrypted saml assertions received from the Idp in user interface.
In most cases, we are unable to see the saml assertions/attributes sent by the IDP and what Name Format they are sending. Whether we received single/multiple values are not.
I tried multiple handlers namely Attribute Resolver and Attribute Checker. Both handlers didn't seems to working and doesn't solve the purpose since they are coming after downloading saml assertions by the shib SP software.
I was seeing, Idp was sending samlresponse in form data to https://domain.com/SHIRE/SAML2/POST. I see , samlresponse in form data seems to be lost when attaching customize sessionHook="/sso-" endpoint. Since, session hook always does get call instead of post.
Is there way we make use of PostData and PostTemplate attributes in sessions element to retrieve saml response sent by the SP?
Could you suggest any shortcut to change customize handler url to download decrypted saml assertions/attributes?
<Sessions checkAddress="false" cookieName="testcookie" cookieProps="; path=/; domain=.example.com" handlerURL="https://domain.com/SHIRE" >
From: users <users-bounces at shibboleth.net> On Behalf Of Peter Schober
Sent: Wednesday, October 20, 2021 6:47 PM
To: users at shibboleth.net
Subject: Re: How to query decoded SAML response in Shbboleth SP version 3.0.1
*** External email: use caution ***
* Kannan, Satheesh (ELS-CON) <s.kannan.1 at elsevier.com> [2021-10-20 15:12]:
> Is there a way we can query the decoded SAML Response in Shibboleth SP
> version 3.0.1 to see the SAML assertions sent by the IDP for debugging
For merely decoding you could do that in the browser without access to the server, using e.g. the SAML-tracer browser extension.
If the Reponse (or the Assertion within) is also encrypted you'd need to do that on the SP: Have a look at your shibd.logger and uncomment the category for SAML protocol messages.
That should allow you to log the decoded, decrypted Reponse (or Assertion).
For Consortium Member technical support, see https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fshibboleth.atlassian.net%2Fwiki%2Fx%2FZYEpPw&data=04%7C01%7Cs.kannan.1%40elsevier.com%7C169b28494c60418426fe08d993cbeaf4%7C9274ee3f94254109a27f9fb15c10675d%7C0%7C0%7C637703326302057875%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=lOUmMR1WWkU%2BTTqdm%2BiJQC5SEenEtm8Eqr1UqqMo0cM%3D&reserved=0
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
More information about the users