search

simplesamlphp / SAML-tracer

Browser extension for examining SAML messages
https://addons.mozilla.org/nl/firefox/addon/saml-tracer/
BSD 2-Clause "Simplified" License
142 stars 39 forks source link

Not capturing SAML POSTs #6

Closed guitarmanvt closed 11 years ago

guitarmanvt commented 12 years ago

On Firefox 12 "Mozilla Firefox for Ubuntu canonical - 1.0" (on Ubuntu 11.10).

I'm running an SP on http://127.0.0.1:9000 and an IdP on http://127.0.0.1:8000.

The initial AuthnRequest HTTP POST isn't being captured. The IdP is responding with a 302 and redirecting to a login page. This login page's GET is being captured and reported, instead of the HTTP POST.

Live HTTP Headers is capturing all the POST and GET data. I'll dump it here (with my comments):

# The process starts by trying to browse to an access-controlled page:

http://127.0.0.1:9000/sp/sso/test/

GET /sp/sso/test/ HTTP/1.1
Host: 127.0.0.1:9000
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:12.0) Gecko/20100101 Firefox/12.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cookie: sessionid=f5c3d9388db1516ef6cd4cafccf186f8; csrftoken=a351e6072a5a3e7810c310e4afa32f16

HTTP/1.0 302 FOUND
Date: Fri, 11 May 2012 17:03:02 GMT
Server: WSGIServer/0.1 Python/2.7.2+
Vary: Cookie
Content-Type: text/html; charset=utf-8
Location: http://127.0.0.1:9000/sp/sso/idpselect/?next=/sp/sso/test/
----------------------------------------------------------
# The Service Point presents an IdP Selection Page:

http://127.0.0.1:9000/sp/sso/idpselect/?next=/sp/sso/test/

GET /sp/sso/idpselect/?next=/sp/sso/test/ HTTP/1.1
Host: 127.0.0.1:9000
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:12.0) Gecko/20100101 Firefox/12.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cookie: sessionid=f5c3d9388db1516ef6cd4cafccf186f8; csrftoken=a351e6072a5a3e7810c310e4afa32f16

HTTP/1.0 200 OK
Date: Fri, 11 May 2012 17:03:02 GMT
Server: WSGIServer/0.1 Python/2.7.2+
Vary: Cookie
Content-Type: text/html; charset=utf-8
Set-Cookie: csrftoken=a351e6072a5a3e7810c310e4afa32f16; expires=Fri, 10-May-2013 17:03:02 GMT; Max-Age=31449600; Path=/
----------------------------------------------------------
# The user selects an IdP, then clicks "Continue" on this form.
# NOTE: This POST request is being captured by SAMLTracer.

http://127.0.0.1:9000/sp/sso/idpselect/?next=/sp/sso/test/

POST /sp/sso/idpselect/?next=/sp/sso/test/ HTTP/1.1
Host: 127.0.0.1:9000
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:12.0) Gecko/20100101 Firefox/12.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://127.0.0.1:9000/sp/sso/idpselect/?next=/sp/sso/test/
Cookie: sessionid=f5c3d9388db1516ef6cd4cafccf186f8; csrftoken=a351e6072a5a3e7810c310e4afa32f16
Content-Type: application/x-www-form-urlencoded
Content-Length: 101
csrfmiddlewaretoken=a351e6072a5a3e7810c310e4afa32f16&idp=http%3A%2F%2F127.0.0.1%3A8000%2Fidp%2Flogin%2F
HTTP/1.0 200 OK
Date: Fri, 11 May 2012 17:03:06 GMT
Server: WSGIServer/0.1 Python/2.7.2+
Vary: Cookie
Content-Type: text/html; charset=utf-8
Set-Cookie: sessionid=f5c3d9388db1516ef6cd4cafccf186f8; expires=Fri, 25-May-2012 17:03:06 GMT; Max-Age=1209600; Path=/
----------------------------------------------------------
# This POST AuthnRequest isn't being captured!

http://127.0.0.1:8000/idp/login/

POST /idp/login/ HTTP/1.1
Host: 127.0.0.1:8000
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:12.0) Gecko/20100101 Firefox/12.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://127.0.0.1:9000/sp/sso/idpselect/?next=/sp/sso/test/
Cookie: sessionid=f5c3d9388db1516ef6cd4cafccf186f8; csrftoken=a351e6072a5a3e7810c310e4afa32f16
Content-Type: application/x-www-form-urlencoded
Content-Length: 591
SAMLRequest=%3C%3Fxml+version%3D%221.0%22+encoding%3D%22UTF-8%22%3F%3E%3Csamlp%3AAuthnRequest+AssertionConsumerServiceURL%3D%22ACS_URL%22+Destination%3D%22DESTINATION%22+ID%3D%22AUTHN_REQUEST_ID%22+IssueInstant%3D%22ISSUE_INSTANT%22+ProtocolBinding%3D%22urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Abindings%3AHTTP-POST%22+Version%3D%222.0%22+xmlns%3Asamlp%3D%22urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Aprotocol%22%3E%3Csaml%3AIssuer+xmlns%3Asaml%3D%22urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Aassertion%22%3EISSUER%3C%2Fsaml%3AIssuer%3E%3C%2Fsamlp%3AAuthnRequest%3E&RelayState=%2Fsp%2Fsso%2Ftest%2F
HTTP/1.0 200 OK
Date: Fri, 11 May 2012 17:03:08 GMT
Server: WSGIServer/0.1 Python/2.7.2+
Vary: Cookie
Content-Type: text/html; charset=utf-8
Set-Cookie: sessionid=ed0a152c0d7b8744ef6cec5bd6079a4d; expires=Fri, 25-May-2012 17:03:08 GMT; Max-Age=1209600; Path=/
----------------------------------------------------------
olavmrk commented 11 years ago 
SAMLRequest=%3C%3Fxml+version%3D%221.0%22+encoding%3D%22UTF-8%2

That SAML message does not appear to be properly encoded. It is missing the base64 encoding. I'm therefore closing this issue.