ETOOBUSY 🚀 minimal blogging for the impatient
SAMLRequest inspection
TL;DR
Some message parts in SAML 2.0 require fiddling to see what’s inside.
In SAML 2.0, the SAMLRequest parameter is included in a URL like
this:
https://example.com/?SAMLRequest=...the-request...
where ...the-request... is built as follows:
- start from the XML text that represents the
AuthnRequest - apply the DEFLATE algorithm to obtain a compressed binary string
- apply the Base64 encoding
- apply url encoding to the Base64 string
So, if we start from this example:
<samlp:AuthnRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="identifier_1"
Version="2.0"
IssueInstant="2004-12-05T09:21:59Z"
AssertionConsumerServiceIndex="1">
<saml:Issuer>https://sp.example.com/SAML2</saml:Issuer>
<samlp:NameIDPolicy
AllowCreate="true"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/>
</samlp:AuthnRequest>
we end up with this:
https://example.com/?SAMLRequest=fZFLa8MwEITvhf4Ho3v8ojlksQ0hoWBoS2lKD70UYW%2BIQA9Xu2rdf1%2FFSUqaQ3ScmU87WlUkjR5gGXhnX%2FAzIPHtTRLPaLQlmNxaBG%2FBSVIEVhok4A42y8cHKNMcBu%2FYdU6LS%2B46JonQs3L2yLXrWqgeLautQv9RHOU39BRDtYjMKUkUsLXE0nLU8%2FxuVpSzfP6aL6AsYL54PwaXpxErZykY9Bv0X6qLbI9jLQrRHHLVvi1M1%2FpmxzwQZBkNKY7SDBrTzpls37ussvPkGTzAU3xgu352WnU%2FycGJBbR23yuPkrEW7AOK5M%2B7d95Ivr6jvaL62XaKAntpScUNiSzOPnT5%2F3PNLw%3D%3D
OK, now we received this and want to look inside… what do we do?
This:
cpanfile
84 B
1
2
3
requires 'IO::Uncompress::RawInflate';
requires 'XML::Twig';
requires 'Mojolicious';
saml-request
772 B
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
#!/usr/bin/env perl
use v5.24;
use warnings;
use experimental 'signatures';
no warnings 'experimental::signatures';
use FindBin '$Bin';
use lib "$Bin/local/lib/perl5";
use MIME::Base64;
use IO::Uncompress::RawInflate;
use Mojo::URL;
use XML::Twig;
my $url = shift // die "$0 <url>\n";
my $sreq = get_urlparam($url, 'SAMLRequest');
say "\nSAMLRequest = $sreq\n";
my $xml = decode_saml($sreq);
say pretty_xml($xml);
sub decode_saml ($input) {
my $binary = MIME::Base64::decode_base64($input);
my $output;
IO::Uncompress::RawInflate::rawinflate(\$binary, \$output);
return $output;
}
sub get_urlparam ($url, $name) { Mojo::URL->new($url)->query->param($name) }
sub pretty_xml ($input) {
XML::Twig->new(pretty_print => 'indented')->parse($input)->sprint
}Local versions: cpanfile and saml-request.
If we use Carton, the cpanfile will help us installing the modules. We’re standing on the shoulders of giants here: IO-Compress, XML::Twig, and Mojolicious.
The program does the reverse of the encoding operations described above:
- function
get_urlparamgives us the value of theSAMLRequestURL parameter. Mojo::URL takes care to reverse the url encoding for us; - function
decode_samldoes the heavylifting of turning the encoded value back into an XML string - function
pretty_xmlhelps us pretty-printing the XML text on the output.
Let’s see how it goes:
$ perl saml-request 'https://example.com/?SAMLRequest=fZFLa8MwEITvhf4Ho3v8ojlksQ0hoWBoS2lKD70UYW%2BIQA9Xu2rdf1%2FFSUqaQ3ScmU87WlUkjR5gGXhnX%2FAzIPHtTRLPaLQlmNxaBG%2FBSVIEVhok4A42y8cHKNMcBu%2FYdU6LS%2B46JonQs3L2yLXrWqgeLautQv9RHOU39BRDtYjMKUkUsLXE0nLU8%2FxuVpSzfP6aL6AsYL54PwaXpxErZykY9Bv0X6qLbI9jLQrRHHLVvi1M1%2FpmxzwQZBkNKY7SDBrTzpls37ussvPkGTzAU3xgu352WnU%2FycGJBbR23yuPkrEW7AOK5M%2B7d95Ivr6jvaL62XaKAntpScUNiSzOPnT5%2F3PNLw%3D%3D'
SAMLRequest = fZFLa8MwEITvhf4Ho3v8ojlksQ0hoWBoS2lKD70UYW+IQA9Xu2rdf1/FSUqaQ3ScmU87WlUkjR5gGXhnX/AzIPHtTRLPaLQlmNxaBG/BSVIEVhok4A42y8cHKNMcBu/YdU6LS+46JonQs3L2yLXrWqgeLautQv9RHOU39BRDtYjMKUkUsLXE0nLU8/xuVpSzfP6aL6AsYL54PwaXpxErZykY9Bv0X6qLbI9jLQrRHHLVvi1M1/pmxzwQZBkNKY7SDBrTzpls37ussvPkGTzAU3xgu352WnU/ycGJBbR23yuPkrEW7AOK5M+7d95Ivr6jvaL62XaKAntpScUNiSzOPnT5/3PNLw==
<samlp:AuthnRequest AssertionConsumerServiceIndex="1" ID="identifier_1" IssueInstant="2004-12-05T09:21:59Z" Version="2.0" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<saml:Issuer>https://sp.example.com/SAML2</saml:Issuer>
<samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/>
</samlp:AuthnRequest>
It seems to be working… good.
Enough for today, stay safe folks!