Skip to content

SAML Test Tools

Test Users

In order to properly test or troubleshoot your SAML 2.0 integration, it is recommended to create dedicated test accounts via your Afrilas dashboard. As soon as you are ready to deploy to production, delete or disable your test users.

Testing Your SAML 2.0 Setup

SAMLTEST.ID is a web-based SAML 2.0 IdP and SP testing service. They use Shibboleth as a reference implementation, but any SAML 2.0-compliant provider is supported.

Various other tools and browser plugins are freely available online to help you test, troubleshoot and integrate SAML.

SAML Troubleshooting!

Viewing SAML Responses

To troubleshoot login issues, it can be helpful to retrieve SAML responses with your browser. Go to the page where you can reproduce the issue, then follow the steps for your browser.

Important

The SAMLResponse attribute contains the encoded request; use a Base64 decoder to investigate the decoded response.

Mozilla Firefox

  1. Press F12 to start the developer console.
  2. In the upper right of the developer tools window, click options (the small gear icon).
  3. Under Preferences, enable persistent logs.
  4. Select the Network tab.
  5. Reproduce the issue.
  6. Look for a 200 POST in the table. Select that row.
  7. In the window on the right, select HTML, then the Request tab to find the SAMLResponse.

Mozilla Firefox Example!

Alternatively, you can install the SAML Tracer addon in Firefox.

Google Chrome

  1. Press F12 to start the developer console.
  2. Select the Network tab, and then select Preserve log.
  3. Reproduce the issue.
  4. Look for a SAML Post in the developer console pane.
  5. Select that row, and then view the Headers tab at the bottom.
  6. Look for the SAMLResponse attribute that contains the encoded request.

Google Chrome Example!

Alternatively, you can install the SAML Tracer addon for Google Chrome.

Apple Safari

  1. Enable Web Inspector in your Safari browser.
  2. Open the Preferences window, select the Advanced tab, and then select Show Develop menu in the menu bar.
  3. Now you can open the Web Inspector. Click Develop, then select Show Web Inspector.
  4. Select the Resources tab.
  5. Reproduce the issue.
  6. Look for a POST method with a samlconsumer file in the table.
  7. Scroll down to find the SAMLResponse Request Data.

SAML Response Example

A SAML response is sent by the Identity Provider to the Service Provider via the user agent. If the user succeeded in the authentication process, the response contains the Assertion with the NameID attributes of the user.

Note that the SAML response itself is encoded; use a Base64 decoder to investigate the decoded response.

Click to view an example of a decoded response.
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                ID="_8946f21ddad0f33a1b3b73c6f7670488809c8a5ced"
                Version="2.0"
                IssueInstant="2021-03-12T07:59:22Z"
                Destination="https://www.example.com/a/example.com/acs"
                InResponseTo="ngdbfhkjgcinjgciekdkmcodngnbjjockmipojpe">
    <saml:Issuer>acmeinc.idp.afrilas.com</saml:Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
            <ds:Reference URI="#_8946f218809c8a5cedddad0f33a1b3b73c6f767048">
                <ds:Transforms>
                    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                <ds:DigestValue>XF5Hnfy+YoztcwyXTC9e+tmTbZZqNgrAApCXTNW6g7E=</ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>C+stmko0ApMY0ZjKgyE924U+v5J34XcKgClwKWBXfCrOsmYfKtZohNDHhzBmz5UjsfpP0j+ZuA3s/qmr9HuHpULnR95fy4C/zX092tquu41XQd+k++K0lkMwbQ3CGxcFBdPTUKLLNUv4MJmVrBqwNxBMe2lm4wtnnsJEk5AQfgtbABme0nUvHzREYxgqUAKoxsRHfsgj5Sji1IiB1ucdDdB/r6RTw99jrYaPJTLj3slxIh5Gobec22bJJ6mg0Suy1+WJgo02FXrZWtDP3vNCE8feTdwoitL2y+K9e91/tNDsR5lUwM0IZzc5PVfTHHWf1qd+vWFzAN2TlYjisPUK0s4XCz/i1tLL97UZf5OCojRolAViYRDJ0vNq1bHVBP/HNdsMBiiSOY0BgDDO3UVqMi9yskszyNhaLSkCpJ6bT2+WcLS2C8H4yVViXD/5SFU0rz8fWiqJJL74XXTGU0FubqdbD0VxcgYoMRu7bBXV8LUuUmrq4SOCxelUfcUiLIPat7AAoDzNAcCIZOzgeZJPgbBtxmDhFVSd0Umcx728fLoGI24Bw072diPFGSqDR9BbT2m5ozSEA4taDanJHH/O9fqCRyypL1Y4LMnktx9PZjQLe2pUETu9jNzEcOWlqjTTStiWOvj4btt6yeLVuP1VowLH25apBPvVR+9qBOW0lSo=</ds:SignatureValue>
        <ds:KeyInfo>
            <ds:X509Data>
                <ds:X509Certificate>MIIE/TCCAuWgAwIBAgIUeFS12UzyWfBWAxtotn4/XsZjOccwDQYJKoZIhvcNAQELBQAwDjEMMAoGA1UEAwwDaWRwMB4XDTIxMDEyOTA5MDcwOVoXDTMxMDEyNzA5MDcwOVowDjEMMAoGA1UEAwwDaWRwMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAymWmOvbEpB35Wex2a6nHrykgaA64+lw5/LuS/LkE5li6kWyrjGwFa/ISdyaohbkQd/DzmwIQBk9UEL5hINgBvpK7J6tAitOpNtnlK4533Ou0kMDeW+vw9z2STRULDU9gYwei7ptWewOJapYxx7ZRzE5iJ6aor2DiBfNpefoVX6WzgS4gxH9UXpl2/UMI8Zfss3f56g3lwy97nIToY56AHfEHWxn7kp+rTZuf+5xRqG/Xow0nNNuTwYuHAIhNgoJEWb4yBIO/Kcy2IWBnNFlIq/QbfOlrOWbwsRF9dkY0qpWoF+lFaGoyNmvJC4zsU0+5+uPZyNpbGrd/V3gUSverPELUcEtudCagFjYlZfExnwg5NdtLd66PozUhJzgy1HRpvshQuZzUVDBCvVok2hFK4TmJQ4t1BUNskzskCVuZPAyWEC1+gv4CBpPSMBXjiHQqXTk41F2uXwVIgOTV00bA1Vwayp0iFxDKckpBMxHkP5fGsOUS1VzMZB0gN4aQ1XV9MsqBQ9dqwuU90UyEC6CxEalU70Hp3uoDNPuhwz/VPw6VznQf9+bj01+ufwvhHpoK4rwJB9VETCYp5K2njTWCpJVv/wk+JedOnK/ylnuN1/qH//4ZSfJF1o0FrzNeo+ri6/taPvWt5ZTxfvUBvgU1XAGuO0HWy1UxLLtpRK/jojcCAwEAAaNTMFEwHQYDVR0OBBYEFMrcmoq7vfY89zG4JV5NAhQ4vgsIMB8GA1UdIwQYMBaAFMrcmoq7vfY89zG4JV5NAhQ4vgsIMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIBAGVrMbWSSRT/3Ywd9dwFS5iLLpnEkpFhplJHeGW8M2SuIneU38IImeUVafJwEi6tIpRMtBIx8EeCxLsbWBtgE4exSLUWGl5wwhIWzQwECH+S1wy6BviwviPjiaRl2AJmlPcluCrxvUXk+olHFmctpQe4Os+vsOV1ZhBx363XYzEDTQdlF1PJLGqnHedCcSQjKWo738zfDR7qLT28o3yYrM2Qb2+kGa9iW/8zJOqVy4ACZPwUJtEuMmaDCmOFn5s8UruahmcJpWi4q6HvTEoo3wDzXFbhaYGqCfeUv4LPWzkYl9uelk5mDKnnG/LlPwU92TE/H2tLh8l9TTRwhC9cRbj0B0ZrEtQQdFUBNnOMKQhIITxBv/jUEr1+FWrL5rE3R3Sw3PtVQdsE8PIYDd7F/NROrUKcZRJgdxH65eITjyyl2xinlTW25I6EoaZXESvZu0VeRBz/X0HZ+py1ZoVaL5ExTSUFIAYjz/1seLa2xZb68YtD3pArcYiGlVp5DiMVm1xtaXIuMj9mnKPHVGvGwriFUDw5W+XpMJ3yvVsvI3pFRpij+/sJLNyKxPn7lm7QdgsjwPuhUm3xB8diTQr7FT+c3q5sSrtSTzoOOHgrvpu4MpTwwwZ8kPz5fRbe9oU+Jq533V2U0yQMoQMG9BkfHEaGuq0iZI2kuJo0EKr9V4Da</ds:X509Certificate>
            </ds:X509Data>
        </ds:KeyInfo>
    </ds:Signature>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
    </samlp:Status>
    <saml:Assertion xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                    xmlns:xs="http://www.w3.org/2001/XMLSchema"
                    ID="_8946f21ddad0f33a1b3b73c6f7670488809c8a5ced"
                    Version="2.0"
                    IssueInstant="2021-03-12T07:59:22Z"
                    >
        <saml:Issuer>acmeinc.idp.afrilas.com</saml:Issuer>
        <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:SignedInfo>
                <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
                <ds:Reference URI="#_1b0d110119c47bdfe883faf3190592580c2b66c485">
                    <ds:Transforms>
                        <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </ds:Transforms>
                    <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <ds:DigestValue>oSindHMARd+v6SDf+O59J4AYs0psB15/6pBs0RmBXgo=</ds:DigestValue>
                </ds:Reference>
            </ds:SignedInfo>
            <ds:SignatureValue>nabYOIJYM7DTfoVGo4IaR4NgWHK2+aeJ4SNMdPeq4G4Yw/pmPcvpZCr7R1a0O4JX+8kEUGwQO02+GcgJClQ9DORNqLKy70El546mBF+mlS5UWVTpTfQxG4ACwcoKtfcqSI+4unbTtNR3ud2HDMdPgltN9iuqH6Hmvp2fAUnUyaf/JHpaVJUSaZTkb/aEo11EpmxteYWiz/oxEJrIyNIAZ1fvd8jnO1WXM3Nsyy3jhHL58VJBzcZgJhWsQCvmnJ04l6gDXB5eUecbsWW1+uVC60YjMkDTxQU28IgPz7OoZpq8jst9r7/RHZWTozBhHV9p8gju87nRuyTFzuex/IZr+ZAxDsO1dGr/coIVLZ3lKEtLJu84fqvfAV9fvwW4z675sEaOFrVlF9wyKFmPFDOmxC7gS/ah/KPHGFFreBA6gMfXsM+OXu7EiRWk7j0/VVbbKAryo/SDkJWl6VW03UN3vFWpBOfLzHJWL1caq9YurjI8IR7dJBP50CTwylXlWj/zxGSigJ+zsGpBXyiY2VD8fezGFzbflFE41NMAwFacRglbv+zPsY2fuJ96Fw9F8+CpTPh1x7JCfWLEsxw+dNYggqq/MzYNl40SjLBoGBkqk/EOkdGqaaHggE5u9VGGXJsoZODeZwiZZMyKAMS7qgSPYD1CcOst4dhVo+h2f/ehSVU=</ds:SignatureValue>
            <ds:KeyInfo>
                <ds:X509Data>
                    <ds:X509Certificate>MIIE/TCCAuWgAwIBAgIUeFS12UzyWfBWAxtotn4/XsZjOccwDQYJKoZIhvcNAQELBQAwDjEMMAoGA1UEAwwDaWRwMB4XDTIxMDEyOTA5MDcwOVoXDTMxMDEyNzA5MDcwOVowDjEMMAoGA1UEAwwDaWRwMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAymWmOvbEpB35Wex2a6nHrykgaA64+lw5/LuS/LkE5li6kWyrjGwFa/ISdyaohbkQd/DzmwIQBk9UEL5hINgBvpK7J6tAitOpNtnlK4533Ou0kMDeW+vw9z2STRULDU9gYwei7ptWewOJapYxx7ZRzE5iJ6aor2DiBfNpefoVX6WzgS4gxH9UXpl2/UMI8Zfss3f56g3lwy97nIToY56AHfEHWxn7kp+rTZuf+5xRqG/Xow0nNNuTwYuHAIhNgoJEWb4yBIO/Kcy2IWBnNFlIq/QbfOlrOWbwsRF9dkY0qpWoF+lFaGoyNmvJC4zsU0+5+uPZyNpbGrd/V3gUSverPELUcEtudCagFjYlZfExnwg5NdtLd66PozUhJzgy1HRpvshQuZzUVDBCvVok2hFK4TmJQ4t1BUNskzskCVuZPAyWEC1+gv4CBpPSMBXjiHQqXTk41F2uXwVIgOTV00bA1Vwayp0iFxDKckpBMxHkP5fGsOUS1VzMZB0gN4aQ1XV9MsqBQ9dqwuU90UyEC6CxEalU70Hp3uoDNPuhwz/VPw6VznQf9+bj01+ufwvhHpoK4rwJB9VETCYp5K2njTWCpJVv/wk+JedOnK/ylnuN1/qH//4ZSfJF1o0FrzNeo+ri6/taPvWt5ZTxfvUBvgU1XAGuO0HWy1UxLLtpRK/jojcCAwEAAarcmoq7vfY89zG4JV5NAhQ4vgsINTMFEwHQYDVR0OBBYEFMMB8GA1UdIwQYMBaAFMrcmoq7vfY89zG4JV5NAhQ4vgsIMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIBAGVrMbWSSRT/3Ywd9dwFS5iLLpnEkpFhplJHeGW8M2SuIneU38IImeUVafJwEi6tIpRMtBIx8EeCxLsbWBtgE4exSLUWGl5wwhIWzQwECH+S1wy6BviwviPjiaRl2AJmlPcluCrxvUXk+olHFmctpQe4Os+vsOV1ZhBx363XYzEDTQdlF1PJLGqnHedCcSQjKWo738zfDR7qLT28o3yYrM2Qb2+kGa9iW/8zJOqVy4ACZPwUJtEuMmauahmcJpWi4q6HvTEoo3wDzXFbhaYGqCfeUv4LPWzkYDCmOFn5s8Url9uelk5mDKnnG/LlPwU92TE/H2tLh8l9TTRwhC9cRbj0B0ZrEtQQdFUBNnOMKQhIITxBv/jUEr1+FWrL5rE3R3Sw3PtVQdsE8PIYDd7F/NROrUKcZRJgdxH65eITjyyl2xinlTW25I6EoaZXESvZu0VeRBz/X0HZ+py1ZoVaL5ExTSUFIAYjz/1seLa2xZb68YtD3pArcYiGlVp5DiMVm1xtaXIuMj9mnKPHVGvGwriFUDw5W+XpMJ3yvVsvI3pFRpij+/sJLNyKxPn7lm7QdgsjwPuhUm3xB8diTQr7FT+c3q5sSrtSTzoOOHgrvpu4MpTwwwZ8kPz5fRbe9oU+Jq533V2U0yQMoQMG9BkfHEaGuq0iZI2kuJo0EKr9V4Da</ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </ds:Signature>
        <saml:Subject>
            <saml:NameID SPNameQualifier="example.com"
                         Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
                         >jane.doe@example.com</saml:NameID>
            <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <saml:SubjectConfirmationData NotOnOrAfter="2021-03-12T08:04:22Z"
                                              Recipient="https://www.example.com/a/example.com/acs"
                                              InResponseTo="ngdbfhkjgcinjgciekdkmcodngnbjjockmipojpe"
                                              />
            </saml:SubjectConfirmation>
        </saml:Subject>
        <saml:Conditions NotBefore="2021-03-12T07:58:52Z"
                         NotOnOrAfter="2021-03-12T08:04:22Z"
                         >
            <saml:AudienceRestriction>
                <saml:Audience>example.com</saml:Audience>
            </saml:AudienceRestriction>
        </saml:Conditions>
        <saml:AuthnStatement AuthnInstant="2021-03-12T07:59:22Z"
                             SessionNotOnOrAfter="2021-03-12T15:59:22Z"
                             SessionIndex="_f7e4afae8ac37998e947c29a5a6bafa27b7ac1a48a"
                             >
            <saml:AuthnContext>
                <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
            </saml:AuthnContext>
        </saml:AuthnStatement>
        <saml:AttributeStatement>
            <saml:Attribute Name="uid"
                            NameFormat=""
                            >
                <saml:AttributeValue xsi:type="xs:string">janedoe</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="nextauthpk"
                            NameFormat=""
                            >
                <saml:AttributeValue xsi:type="xs:string">MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEmT-P5UtrqWtTPKn7l1cqfdoCCiRj9qjHWVLLfDea7H5LDBJBTb9ZVG5fTlnNMzdypNdd6b4xiELnhKqhxsMwPA</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="admin"
                            NameFormat=""
                            >
                <saml:AttributeValue xsi:type="xs:string">false</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="createdat"
                            NameFormat=""
                            >
                <saml:AttributeValue xsi:type="xs:string">2021-02-19T08:41:01+00:00</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="displayname"
                            NameFormat=""
                            >
                <saml:AttributeValue xsi:type="xs:string">Jane Doe</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="mail"
                            NameFormat=""
                            >
                <saml:AttributeValue xsi:type="xs:string">jane.doe@example.com</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="sourceid"
                            NameFormat=""
                            >
                <saml:AttributeValue xsi:type="xs:string">freeipa</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="updatedat"
                            NameFormat=""
                            >
                <saml:AttributeValue xsi:type="xs:string">2021-02-19T08:41:01+00:00</saml:AttributeValue>
            </saml:Attribute>
        </saml:AttributeStatement>
    </saml:Assertion>
</samlp:Response>