How to query decoded SAML response in Shbboleth SP version 3.0.1

Peter Schober peter.schober at
Thu Oct 21 14:50:55 UTC 2021

* Kannan, Satheesh (ELS-CON) <s.kannan.1 at> [2021-10-21 16:05]:
> On the Service provider end, I was looking to display decrypted
> saml assertions received from the Idp in user interface.

You'll have to configure your logging configuration then, as already

> I tried multiple handlers namely Attribute Resolver and Attribute
> Checker. Both handlers didn't seems to working and doesn't solve the
> purpose since they are coming after downloading saml assertions by
> the shib SP software.

I don't see what any of this has to do with logging the SAML messages?

> I was seeing, Idp was sending  samlresponse in form data to
> I see , samlresponse in form
> data  seems to be lost when attaching customize sessionHook="/sso-"
> endpoint. Since, session hook always does get call instead of post.

That's not what happens, as you'd if you looked at what actaully  in
your webbrowser, use e.g. SAML-tracer. The IDP has no knowledge of
your sessionHook and has no reason to be HTTP POST-ing the response
So what happens is the IDP HTTP POSTs the response to your SP's
Assertion Consumer Service URL and *after* your SP decodes and
decrypts the Reponse/Assertion and *after* it creates a local session
with any mapped attributes etc. if would send the web browser on to
the configured sessionHook URL. So not "instead of post", after.

(Btw, I find it weird that your referenced sessionHook claims to be
available at /sso- (including the minus at the end) but as long as
that path is accessible and the session hook works that's fine, I
guess. It's not a prefix for anything, though, so you may be confusing
yourself by having local code available at that specific path.)

Again, none of this has anything to do with logging so you're not
communicating clearly what it is that you want to achieve.
(Don't focus your questions on the method you want to achieve
something with, focus on the effect/result.)


More information about the users mailing list