Security Assertion Markup Language (SAML) is an XML based Identity federation language standard that among other features enables Single Sign On (SSO).
When a SAML 2.0 connector is created in a customer's Identity Provider (IdP) service and used to log in with an Adobe Federated account, a complex workflow occurs in the background which is mostly invisible to the user.
Part of this workflow is the passing and assertion of four key attributes:
When these attributes are correctly passed, they 'assert' the identity of the user attempting to log in and create a federated trust between an Identity Provider (IdP - Customer service) and a Service Provider (SP - Adobe service) and SSO succeeds.
When there is a problem, it is useful for Adobe's customers and customer support staff to be able to trace these SAML assertions occuring between the IdP and SP.
A SAML Trace shows important values such as the Assertion Consumer Service URL, Issuer URL, and four key SAML 2.0 attributes.
SAML tracers are available in the form of Internet Browser Add-ons/Extensions are free to download and require no special permissions or other software.
Two of the most popular Add-ons are:
Firefox browser SAML Tracer Add On: https://addons.mozilla.org/en-US/firefox/addon/saml-tracer/
Google Chrome browser SAML Chrome Panel Browser Extension:
It is recommended to install and use the Tracer on the client system with the user account that is experiencing the SSO issue. Note the links and steps provided here were correct at time of publishing.
Otherwise for general SSO testing, the Tracer can be installed and run from any client system and any Federated user account on the same network.
We are using the Firefox SAML Tracer Add-On, for example here:
Click the SAML tracer Add-on menu element and a new two-part browser. Trace window appears as shown. The upper half of the Trace Window shows the rolling HTTP POST, GET, and OPTIONS methods occurring in real time. The lower half of the Trace Window shows expanded details of each method when it is clicked.
Note: Deselecting Autoscroll when performing SAML analysis improves your experience.
You may now inspect the output as it appears or cut and paste to a text editor and validate items such as:
- This output in it's entirety with no modification should be provided along with other details of the issue to Adobe Customer Care when reporting a suspected SSO issue.
- The case syntax of SAML assertion field names, for example: NameID, Email, FirstName, and LastName are crucial to SSO succeeding and can be quickly identified and modified in a customer's IdP configuration when required.
- The values of each assertion are also validated between Adobe account name to customer Directory service account name (for example: Active Directory).
- When the SSO issue has been resolved, perform a fresh SAML trace and save a copy of the output to be used as a reference of a successful SSO login in the environment.