Monthly Archives: August 2016

[Tutorial] Using Fiddler to debug SAML tokens issued from ADFS

Problem:

Many applications want to federate with leverage certain attributes like nameid (nameidentifier), but the problem is the format is wildly different from one application to another.  In this case, one application might use a unique value like an employee ID, another UPN, another email address, and so on.  Or maybe it isn't an attribute, but you are leveraging SHA1 as your signature hashing algorithm and the application is looking for MD5.

In this case, sometimes you may not be sure what you are sending to the application and are looking to the vendor to help you understand what you need to change in ADFS or if you are working on a custom application, need help debugging your claims rules to integrate into that application.  In this case, I will show you how to leverage Fiddler to acquire the SAML Tokens issued by ADFS to validate what attributes/values you are passing to the federate application.

Tutorial:

  1. Grab the latest copy of Fiddler from their website (it is a free download)
    1. https://www.telerik.com/download/fiddlerDownload Fiddler
  2. Install Fiddler on your local machine
    1. Double click fiddlersetup.exe
      Run fiddlersetup
    2. Agree to the End User License Agreement
      Fiddler Install - Accept EULA
    3. Set the installation directory and click Install
      Fiddler Install - Destination Folder
    4. Close the setup wizard
      Fiddler Install - Close Installation
  3. Launch Fiddler
    Launch Fiddler - Windows 10
  4. Click Cancel if prompted about AppContainers
    Fiddler - AppContainer Configuration - Cancel
  5. With Fiddler open click on Tools -> Telerik Fiddler Options...
    Fiddler - Tools - Telerik Fiddler Options
  6. Click on the HTTPS tab and check Decrypt HTTPS traffic and click OK
    1. Note: you may be prompted to trust a certificate.  You must trust the certificate so Fiddler can intercept your encrypted traffic and decrypt it.  Fiddler will not permanently capture traffic when the application is closed.
      Fiddler - Tools - Telerik Fiddler Options - HTTPS - Decrypt HTTPS traffic
  7. Close out of Fiddler
    Fiddler - Close
  8. Open Fiddler
    Launch Fiddler - Windows 10
  9. Open up Internet Explorer in one window and Fiddler side-by-side.  Drag the Crosshair icon onto Internet Explorer.  This will target only traffic in this process (browser window) to help filter down intercepted traffic.
    Fiddler - Process Selector - Drag Drop
  10. Select the X icon with a dropdown and click Remove all to clear your trace
    Fiddler - X - Remove All
  11. Go to the url of the federated application and login.  In this case, I am going to use https://outlook.com/owa/jackstromberg.com; once you have logged into the application or received the error to your application upon login, click File - Capture Traffic to stop the logs
    Fiddler - File - Capture Traffic - ADFS
  12. Within your logs, look for the last 200 response from your ADFS server before being redirected to your application (which will not show up as a 302, since we are posting to the new URL)
    Fiddler - HTTPS 200 - ADFS - SAML Post
  13. Click on the Inspectors tab, and select the Raw tab at the bottom and copy the value from the hidden input tag with the name of wresult
    Fiddler - Inspectors - Raw - wresult - encoded html
  14. Paste the encoded HTML into my HTML Encoder/Decoder in the Encoded text box and click Decode.
    1. Note: The encoder/decoder is all JavaScript based that functions client/side, so no data will leave your network.
      JackStromberg - HTML Encoder - Decoder - SAML
  15. Copy the Decoded HTML and paste it into an XML formatter of your choice.  Here I am using Bing:
    Bing - XML Formatter - SAML Token
  16. Copy the result into Notepad and you can now read the information
    Notepad - SAML Decoded - Formatted XML

Going into the claim and how it works is outside the scope of this tutorial, but as you can see in the last screenshot above we have the raw SAML token we will send to the relying party trust to consume.  At this point, the vendor can be involved to help troubleshoot any values or attributes that are in an incorrect format.