Introduction
Over the past couple of days I have been doing some diagnostics with a partner to setup SSO over a SAML HTTP POST using ADFS. The partner is using the SAML ComponentSpace component. An important part of the diagnostics has been collecting the HTTP POST trace and sending this to the partner for diagnostics. This post shows the steps I went through to trace the HTTP POST using Fiddler.
I saw one MSDN thread that mentioned a similar technique to mine but I wanted to document the steps here because it is not trivial or simple.
Walkthrough
This walkthrough assumes you have already downloaded Fiddler and have setup at least one relying party.
- Configure IIS so that it can be used with Fiddler tracing and ADFS. See the following TechNet Wiki article for more information: http://social.technet.microsoft.com/wiki/contents/articles/ad-fs-2-0-continuously-prompted-for-credentials-while-using-fiddler-web-debugger.aspx?wa=wsignin1.0&CommentPosted=true. I did not do this step but I am presenting this here in case you run into the problem presented on the link. When authenticating, I checked the box to remember my password.
- Configure Fiddler for processing HTTPS. Open the Fiddler options and check the boxes like shown below. Ignoring server certificate errors is optional:
- Open the browser and navigate to https://adfsFQDN/adfs/ls/IdpInitiatedSignOn.aspx. This page will look like:
- Choose to sign in. You will receive an authentication box, so authenticate with Windows credentials.
- Then you will see a windows similar to the one below:
- Before clicking Go, open Fiddler so that the trace will be collected.
- Then click Go in the browser. The trace as collected in Fiddler will be collected like in the screenshot below (sorry this screenshot is a pretty large file but it shows a lot of important details):
- You will want to find the last page that includes the “adfs/ls” in the list in the left window in Fiddler. Click on that one. Then on the right window choose to see it “Raw”.
- Next you want to select all of the encoded blob from the RAW window but not all of the HTTP POST. You can select this blob and copy it.
- Then click on the Encoder toolbar button, which gives you the ability to unencode the blob. The SAML POST will be Base64 encoded so you have to unencode it to get the unencoded trace. Choose the option “From Base64” to see the unencoded Samlp response as shown below:
Thanks!
MS Innovations Blog 
Maybe this is helpful – not thoroughly tested though
http://www.leastprivilege.com/FiddlerInspectorForFederationMessages.aspx
Dominick, I did try out your inspector but it did not parse the SAMLRequest message, only the WS-Fed and Samlp responses. Parsing SAMLRequest is actually not that hard, maybe I will extend your inspector.
Thanks,
Link is dead, moved here: http://leastprivilege.com/2010/09/11/fiddler-inspector-for-federation-messages/
Hey it works for me. Nice to see you have an inspector for it Dominick. I like being able to work with the RAW data myself too.
Thanks for the comment.
Hi Ben,
While first time login time I am getting the all IdP details in login page. Once logged in using my one of IdP and once again I login, by default already selected IdP login page connected. I want to login in as different IdP but I cant get the IdP list. Please help me to solve the problem.
I would use the PersistIdentityProvider value set to true if you mainly have one identity provider that you login with. The default behavior is it will only remind you every 30 days which one to use. Set it to false if you often switch identity providers and especially in test mode when you may have many test identity providers. Also know that you can set it to true and customize the HomeRealmDiscovery.aspx.cs page to use a value based on some other property like a cookie or some other programmatic value.
Thanks
Thanks Ben. I solved the issue. The solution is, need to set the persistIdentityProviderInformation is false in config file.
Thanks Ben for this terriffic tip. I have been searching for a week on this issue. Not much out there. This really saved my bacon… We are just stating ADFS at my company. I’ve got a lot to learn but find it fun and interesting. Thanks again
The access to trace out the saml idp request from idf is great way to setup an proxy using the fiddler.It will helps to generate an http server response so that while running this request you will get to know about the http request response problem.
Secure Web Access
Thanks for the guide. Worked for me.
There is a more convenient method to view SAML Response in Fiddler. This is described at this blog – http://tech-turf.blogspot.com/2015/09/viewing-samlfederation-response-in.html
IMHO a better description of installation and use of this tool: http://tech-turf.blogspot.nl/2015/09/viewing-samlfederation-response-in.html
Too bad the request is not decoded (this is in the querystring of the URL, e.g. /?SAMLREQUEST=….)
Thanks for your feedback!
Consider a more modern approach an use a Chrome/Edge extension that intercepts SAML, WS-Federation and OAuth messages and decodes them automatically for you: https://chrome.google.com/webstore/detail/saml-ws-federation-and-oa/hkodokikbjolckghdnljbkbhacbhpnkb
Great idea! I will check that out.
You can easily use my site to decode SAML and WS Federation messages. You can paste in directly from Fiddler, and it can also extract certificate(s) from metadata files.
I am followed your steps and I get Service Unavailable error. What might be the issue.
I am guessing ADFS has changed since I wrote my blog post. Any time you see a 503 you should check if your IIS web site is still running.
I get to see this in Fiddler Raw tab of response
HTTP/1.1 503 Service Unavailable
Content-Length: 62
Connection: close
Cache-Control: no-cache,no-store
Pragma: no-cache
Http/1.1 Service Unavailable