Sunday, September 29, 2013

SAML 2.0 message debugging

As methods of debugging SAML requests and responses what I've been using thus far are BurpSuite and usual Java debugging.

The problems with BurpSuite are: it must be set as a browser proxy, and also it cannot be used to decode SAML messages in Redirect binding. It didn't have the ability to deflate (uncompress).  

Obviously, Java debugging is not always a solution since applications can be non-Java based and source code is not always available. And adding to the pain it needs setting up an IDE too.

Recently I came across web based SAML 2.0 Debugger [1] from the SimpleSAMLphp guys, and it's the best solution for SAML message debugging!

It contains both a decoder and an encoder. For decoding we just have to capture the message using a tool like LiveHTTPHeaders for Firefox or Chrome's Developer Tools and give it to the decoder.

The only thing I'm missing in it is the ability to pretty-print the XML. But not a big deal! We can use an online tool like [2] or if Ubuntu based (like me) use Geany editor [3] with the XML pretty-printer add-on installed.



No comments: