Microsoft AD FS SAML Assertion Trouble Shooting w/Fiddler

When working with multiple Relying-Party’s / Service Providers in AD FS it often becomes necessary to ensure that the Saml Assertions / Claims being sent are indeed being sent.  By using the IdpInitiatedSingon.aspx page included with AD FS 2.1 on Windows Server 2012 and Fiddler together the Saml Assertions / Claims can be inspected and confirmed.

 

Requirements & Assumptions

Teleriks Fiddler Tool w/SSL Capture Enabled

A functional Microsoft AD FS 2.1 Farm on Windows Server 2012 with or without an AD FS Proxy.

The known endpoint of your AD FS Farm:  https://sts.domain.com/

At least one Relying Party Trust with a Service Provider configured to send a few claims.

When creating the Relying Party Trust, you chose NOT to encrypt the claims.

Add-ADFSRelyingPartyTrust  … -EncryptClaims $False

Credentials in the domain in which the AD FS Farm resides.

SAML 2.0 Web SSO Protocol is being used, not WS-Federation Passive Protocol.

 

Step 1 – Get Authenticated by AD FS in your domain

 

Browse to https://sts.domain.com/adfs/ls/IdpInitiatedSignOn.aspx.

SNAGHTML1cf7533

 

Click, Continue to Sign In.

SNAGHTML1d512f2

Type your domain credentials as shown.  This user should have Windows Credentials in the domain to which the ADFS Farm is joined.  Click, Sign In.

 

Step 2 – Select a Relying Party Trust / Service Provider to Test

 

SNAGHTML1d8d691

 

To test our POST to our Relying Party, select it from the Select one of the following sites: drop down.

 

Step 3 – Get ready to capture the Fiddler session

Start, Fiddler to being your trace.

Once Fiddler is running and ready to capture your trace, click the Go button.

 

Step 4 – Review the Fiddler Session Capture to locate your SAML Token.

 

In Fiddler, look for the GET request that looks like, https://sts.domain.com/adfs/ls?SAMLRequest= …. and select that item in the Fiddler session panel.

Select Inspectors in Fiddler, and select TextView.

Look for a section contained in this POST that looks like:

<input type=”hidden” name=”SAMLResponse” value=” …. lots of base 64 encoded values … “/><noscript><p>Script is disabled. Click Submit to continue.</p><input type=”submit” value=”Submit” /></noscript></form><script language=”javascript”>window.setTimeout(‘document.forms[0].submit()’, 0);</script></body></html>

 

SNAGHTML1eed687

It is the base 64 encoded string between the two quotes …. lots of base 64 encoded values … , that we want to carefully select in Fiddler with our cursor.

After selecting the text detailed above, right-click on the text and send it to the Fiddler TextWizard. Once loaded into the TextWizard, select the radio button From Base64 to decode the POST into readable format.  This is your SAML Token.

SNAGHTML1f226ac

It will include your AD FS Token-Signing Certificate and toward the very bottom of the XML, will include a section where your assertions / claims will be visible:

<AttributeStatement>
  <Attribute Name=”http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress”>
    <AttributeValue>username@domain.com</AttributeValue>
  </Attribute>
  <Attribute Name=”http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirth”>
    <AttributeValue>1980-01-01</AttributeValue>
  </Attribute>
</AttributeStatement>

If you do not see any claims, then your Claims Rules are not being processed for this user account.  To trouble shoot your Claims Rules, a good starting point is add a static Issue Rule like the one described on TechNet.

=> issue(type = “http://test/role&#8221;, value = “employee”);

If you do not see any claims,Then, simply retest using the steps above until you are certain that the SAML Assertions / Claims you want passed are indeed being passed.

Advertisements
Tagged with: ,
Posted in AD FS, Windows Server 2012
One comment on “Microsoft AD FS SAML Assertion Trouble Shooting w/Fiddler
  1. Huy Nguyen says:

    Thank you so much for your article. It made my day!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: