• Troubleshooting WS-Federation and SAML2 Protocol

    Published by Matias Woloski on April 16th, 2011 3:20 pm under ADFS, Identity, Windows Identity Foundation

    No Comments

    imageDuring the last couple of years we have helped companies deploying federated identity solutions using WS-Fed and SAML2 protocols with products like ADFS, SiteMinder in various platforms. Claims-based identity has many benefits but as every solution it has its downsides. One of them is the additional complexity to troubleshoot issues if something goes wrong, especially when things are distributed and in production. Since the authentication is outsourced and it is not part of the application logic anymore you need someway to see what is happening behind the scenes.

    I’ve used Fiddler and HttpHook in the past to see what’s going on in the wire. These are great tools but they are developer-oriented. If the user who is having issues to login to an app is not a developer, then things get more difficult.

    • Either you have some kind of server side log with all the tokens that have been issued and a nice way to query those by user
    • Or you have some kind of tool that the user can run and intercept the token

    Fred, one of the guys working on my team, had the idea couple of months ago to implement the latter. So we coded together the first version (very rough) of the token debugger. The code is really simple, we are embedding a WebBrowser control in a Winforms app and inspecting the content on the Navigating event. If we detect a token being posted we show that.

    Let’s see how it works. First you enter the url of your app, in this case we are using wolof (the tool we use for the backlog) that is a Ruby app speaking WS-Fed protocol. .

    image

    After clicking the Southworks logo and entering my Active Directory account credentials, ADFS returns the token and it is POSTed to the app. In that moment, we intercept it and show it.

    image

    You can do two things with the token: send it via email (to someone that can read it Smile) or continue with the usual flow. If there is another STS in the way it will also show a second token.

    image

    image

    Since I wanted to have this app handy I enabled ClickOnce deployment and deployed it to AppHarbor (which works really well btw)

    If you want to use it browse to and launch the ClickOnce app @ http://miller.apphb.com/

    If you want to download the source code or contribute @ https://github.com/federicoboerr/token-requestor

  • Leave a comment

    Your email address will not be published.

Meta

Locations of visitors to this page

Archives

Tags

Categories