This article helps you to use publicly available products to perform a SAML Trace to troubleshoot SSO.

Environment

Customer with a Federated Adobe domain and SSO configured.

Steps

What is a SAML Trace?

Security Assertion Markup Language (SAML) is an XML based Identity federation language standard that among other features enables Single Sign On (SSO).

When a SAML 2.0 connector is created in a customer's Identity Provider (IdP) service and used to log in with an Adobe Federated account, a complex workflow occurs in the background which is mostly invisible to the user.

Part of this workflow is the passing and assertion of four key attributes:

  • NameID
  • Email
  • FirstName
  • LastName

When these attributes are correctly passed, they 'assert' the identity of the user attempting to log in and create a federated trust between an Identity Provider (IdP - Customer service) and a Service Provider (SP - Adobe service) and SSO succeeds.

When there is a problem, it is useful for Adobe's customers and customer support staff to be able to trace these SAML assertions occuring between the IdP and SP.

A SAML Trace shows important values such as the Assertion Consumer Service URL, Issuer URL, and four key SAML 2.0 attributes.

What do I need to perform a SAML Trace?

SAML tracers are available in the form of Internet Browser Add-ons/Extensions are free to download and require no special permissions or other software.

Two of the most popular Add-ons are:

Firefox browser SAML Tracer Add Onhttps://addons.mozilla.org/en-US/firefox/addon/saml-tracer/

Google Chrome browser SAML Chrome Panel Browser Extension:

https://chrome.google.com/webstore/detail/saml-chrome-panel/paijfdbeoenhembfhkhllainmocckace?hl=en

How do I perform a SAML Trace?

It is recommended to install and use the Tracer on the client system with the user account that is experiencing the SSO issue. Note the links and steps provided here were correct at time of publishing.

Otherwise for general SSO testing, the Tracer can be installed and run from any client system and any Federated user account on the same network.

We are using the Firefox SAML Tracer Add-On, for example here:

  1. Using Firefox browser download and install the Firefox browser SAML Tracer Add On via the link provided earlier.

  2. When completed, note the new orange SAML tracer Add-on menu element in the Firefox menu bar as shown:

    rtaimage_7_
  3. Click the SAML tracer Add-on menu element and a new two-part browser. Trace window appears as shown. The upper half of the Trace Window shows the rolling HTTP POST, GET, and OPTIONS methods occurring in real time. The lower half of the Trace Window shows expanded details of each method when it is clicked.

    Note: Deselecting Autoscroll when performing SAML analysis improves your experience.

    rtaimage_8_
  4. Click the Trace Window and the Main Window so that both are viewed simultaneously.  Then navigate to www.adobe.com and click Sign In as shown:

    rtaimage_9_
  5. Proceed to provide Adobe account login credentials selecting Enterprise ID when prompted and note the HTTP POST, GET, and OPTIONS methods rolling upwards in the Trace Window.

    Note the occasional orange SAML tags shown at extreme right indicating SAML assertions being passed.

  6. When login has completed or has resulted in arrival to the issue being investigated, look at the Trace Window and locate and click the POST method ending in accauthlinktest (note - this is the ACS URL) as shown.

    step6-saml
  7. Note in the lower half of the Trace Window, the three filter types HTTP, Parameters, and SAML. Click SAML to filter SAML assertions as shown:

    rtaimage_11_
  8. You may now inspect the output as it appears or cut and paste to a text editor and validate items such as:

    a. The Signature and Digest method hashing levels: SHA-1 is shown in this example:

    rtaimage_12_

    b. The Assertion Consumer Service (ACS) URL aka Reply URL

    step8b-saml

    c. The Issuer URL / Entity ID:

    rtaimage_15_

    d. The 4 SAML attribute assertions including their format and value 

    step8d-saml

    e. Validate the X.509 Certificate being passed between Idp and SP

    rtaimage_18_

    f. Confirm the current permitted Timeskew or SAML TTL (Time-To-Live) values

    2018-02-05_10_1806-inbox-everittadobecom-outlook

Ok great, now what do I do with the output?

  • This output in it's entirety with no modification should be provided along with other details of the issue to Adobe Customer Care when reporting a suspected SSO issue.
  • The case syntax of SAML assertion field names, for example: NameID, Email, FirstName, and LastName are crucial to SSO succeeding and can be quickly identified and modified in a customer's IdP configuration when required.
  • The values of each assertion are also validated between Adobe account name to customer Directory service account name (for example: Active Directory).
  • When the SSO issue has been resolved, perform a fresh SAML trace and save a copy of the output to be used as a reference of a successful SSO login in the environment.

This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License  Twitter™ and Facebook posts are not covered under the terms of Creative Commons.

Legal Notices   |   Online Privacy Policy