How to query decoded SAML response in Shbboleth SP version 3.0.1

Kannan, Satheesh (ELS-CON) s.kannan.1 at
Thu Oct 21 15:51:06 UTC 2021

Your reply clarified a lot. My end goal is to display the decrypted the Reponse/Assertion in the User Interface *before SAML Assertion to be extracted and passed to an application. Logging saml messages in the log file doesn't solve my problem.

I'm looking for an solution 

-----Original Message-----
From: users <users-bounces at> On Behalf Of Peter Schober
Sent: Thursday, October 21, 2021 8:21 PM
To: users at
Subject: Re: How to query decoded SAML response in Shbboleth SP version 3.0.1

*** External email: use caution ***

* Kannan, Satheesh (ELS-CON) <s.kannan.1 at> [2021-10-21 16:05]:
> On the Service provider end, I was looking to display decrypted saml 
> assertions received from the Idp in user interface.

You'll have to configure your logging configuration then, as already mentioned.

> I tried multiple handlers namely Attribute Resolver and Attribute 
> Checker. Both handlers didn't seems to working and doesn't solve the 
> purpose since they are coming after downloading saml assertions by the 
> shib SP software.

I don't see what any of this has to do with logging the SAML messages?

> I was seeing, Idp was sending  samlresponse in form data to 
> I see , samlresponse in form data  seems to be lost when attaching customize sessionHook="/sso-"
> endpoint. Since, session hook always does get call instead of post.

That's not what happens, as you'd if you looked at what actaully  in your webbrowser, use e.g. SAML-tracer. The IDP has no knowledge of your sessionHook and has no reason to be HTTP POST-ing the response there.
So what happens is the IDP HTTP POSTs the response to your SP's Assertion Consumer Service URL and *after* your SP decodes and decrypts the Reponse/Assertion and *after* it creates a local session with any mapped attributes etc. if would send the web browser on to the configured sessionHook URL. So not "instead of post", after.

(Btw, I find it weird that your referenced sessionHook claims to be available at /sso- (including the minus at the end) but as long as that path is accessible and the session hook works that's fine, I guess. It's not a prefix for anything, though, so you may be confusing yourself by having local code available at that specific path.)

Again, none of this has anything to do with logging so you're not communicating clearly what it is that you want to achieve.
(Don't focus your questions on the method you want to achieve something with, focus on the effect/result.)

For Consortium Member technical support, see
To unsubscribe from this list send an email to users-unsubscribe at

More information about the users mailing list