When working with multiple Relying-Party’s / Service Providers in AD FS it often becomes necessary to ensure that the Saml Assertions / Claims being sent are indeed being sent. By using the IdpInitiatedSingon.aspx page included with AD FS 2.1 on Windows Server 2012 and Fiddler together the Saml Assertions / Claims can be inspected and confirmed.
Requirements & Assumptions
Teleriks Fiddler Tool w/SSL Capture Enabled
A functional Microsoft AD FS 2.1 Farm on Windows Server 2012 with or without an AD FS Proxy.
The known endpoint of your AD FS Farm: https://sts.domain.com/
At least one Relying Party Trust with a Service Provider configured to send a few claims.
When creating the Relying Party Trust, you chose NOT to encrypt the claims.
Add-ADFSRelyingPartyTrust … -EncryptClaims $False
Credentials in the domain in which the AD FS Farm resides.
SAML 2.0 Web SSO Protocol is being used, not WS-Federation Passive Protocol.
Step 1 – Get Authenticated by AD FS in your domain
Click, Continue to Sign In.
Type your domain credentials as shown. This user should have Windows Credentials in the domain to which the ADFS Farm is joined. Click, Sign In.
Step 2 – Select a Relying Party Trust / Service Provider to Test
To test our POST to our Relying Party, select it from the Select one of the following sites: drop down.
Step 3 – Get ready to capture the Fiddler session
Start, Fiddler to being your trace.
Once Fiddler is running and ready to capture your trace, click the Go button.
Step 4 – Review the Fiddler Session Capture to locate your SAML Token.
In Fiddler, look for the GET request that looks like, https://sts.domain.com/adfs/ls?SAMLRequest= …. and select that item in the Fiddler session panel.
Select Inspectors in Fiddler, and select TextView.
Look for a section contained in this POST that looks like:
It is the base 64 encoded string between the two quotes …. lots of base 64 encoded values … , that we want to carefully select in Fiddler with our cursor.
After selecting the text detailed above, right-click on the text and send it to the Fiddler TextWizard. Once loaded into the TextWizard, select the radio button From Base64 to decode the POST into readable format. This is your SAML Token.
It will include your AD FS Token-Signing Certificate and toward the very bottom of the XML, will include a section where your assertions / claims will be visible:
If you do not see any claims, then your Claims Rules are not being processed for this user account. To trouble shoot your Claims Rules, a good starting point is add a static Issue Rule like the one described on TechNet.
=> issue(type = “http://test/role”, value = “employee”);
If you do not see any claims,Then, simply retest using the steps above until you are certain that the SAML Assertions / Claims you want passed are indeed being passed.