Skip to main content
Delphix

How to Collect A SAML Response For SSO Debugging (KBA6076)

 

 

KBA

KBA# 6076

Applicable Delphix Versions

Click here to view the versions of the Delphix engine to which this article applies
Major Release All Sub Releases
6.0 6.0.0.0, 6.0.1.0, 6.0.1.1, 6.0.2.0

5.3

5.3.0.0, 5.3.0.1, 5.3.0.2, 5.3.0.3, 5.3.1.0, 5.3.1.1, 5.3.1.2, 5.3.2.0, 5.3.3.0, 5.3.3.1, 5.3.4.0, 5.3.5.0 5.3.6.0, 5.3.7.0, 5.3.7.1, 5.3.8.0, 5.3.8.1, 5.3.9.0

5.2

5.2.2.0, 5.2.2.1, 5.2.3.0, 5.2.4.0, 5.2.5.0, 5.2.5.1, 5.2.6.0, 5.2.6.1

How to Task

This document discusses the procedure to collect and decode a SAML trace for SSO and/or Data Control Tower Engine login troubleshooting. This may be required in conjunction with other Delphix Support troubleshooting when general Okta or other IdP events are encountered, such as 400: GENERAL_NONSUCCESS.

clipboard_eb8809179dc823974b2d9ceb2b201c952.png

Prerequisites

Browser add-on are recommended for ease of use, though these may not be available for ad-hoc installation depending on administrative restrictions. 

Delphix recommends SAML-tracer or others listed at https://www.samltool.com/saml_tools.php

Uninett SAML-tracer - Chrome Web Store

Uninett SAML-tracer - Firefox Add-Ons

Firefox and Chrome - SAML-tracer

  1. Open a new browser window.
  2. Click the SAML-Tracer extension button. 

clipboard_e35b50e7d0460851f69fced7f85996bba.png

A new SAML-tracer window displays:

clipboard_e8443fe903a41f8a5a68696df5185952d.png

In the SAML-tracer toolbar, the blue button highlight indicates an active selection. In this example, Pause is selected, so this should be clicked again to un-Pause data collection.

Note

Note:

The SAML-tracer will trace ALL SAML exchanges from all browser windows. If it is desirable to isolate logging to only the Delphix application(s) in question, other browser tabs leveraging SSO should be suspended or closed for this data collection.

  1. Reproduce the issue (login, etc).
  2. Once the issue is reproduced, click Export in the SAML-tracer toolbar. In the Export SAML-trace preferences, select None for "Select cookie-filter profile", and then click Export. Save the file to a known location. This JSON export can be attached to the active Support case for further review.

clipboard_e64f0f7360ec29b59052e0cad54b7ed47.png

Note

Note:

If administrative or security policies restrict export of SAML data, selecting other values in this dialog will not render any diagnostic information that can be used for diagnosis, and live review of the JSON may be required via remote session.

Google Chrome - Developer Tools 

The SAML response can be captured by first opening Developer Tools, click the Network tab, and enable Preserve Log option:

google1.png

Once enabled, reproduce the behavior of concern.  When the problem is reproduced, the Network log can be filtered to only display SAML activity by clicking the Filter icon:

google2.funnel.png

and adding "SAML" to the text filter box (this should not be case sensitive):

google3.png

Selecting the network event under Name column will display details for the selected event. Scrolling to the bottom of the right-hand pane, the SAML response can be found.

google4.png

This SAML response can then be copy+paste to notepad of choice, or added to Support case as needed for further review.

Alternatively, if there are difficulties in locating the event of concern, the log can be exported in its entirety for Support review by right-clicking on any line in the Network tab content (clicking outside of a populated line won't display the required options), and select the menu option "Save all as HAR with content".

google5.png

The resulting file can be attached to the Support case, if file size is less than 20MB. Otherwise, the file can be transferred via upload.delphix.com.

Firefox - Developer Tools 

The SAML response can be captured by first opening Developer Tools, click the Network tab:

firefox1.png

Then, enable Persist Logs option by clicking the Settings (gear) icon and select "Persist Logs"

firefox2.png

Once enabled, reproduce the behavior of concern.  When the problem is reproduced, the Network log can be filtered to only display SAML activity by adding "SAML" to the filter text box (this should not be case sensitive):

firefox3.png

Selecting the network event in the Network panel will display details for the selected event. 

Click the Response tab on the right-hand panel to view the SAML response data:

firefox4.png

Note, the first time this is performed, a JavaScript warning may appear:

firefox5.png

If this occurs, simply toggle the "Raw" slider on right-hand side of panel to view the raw data. This SAML response (indicated on line 24 in example below, with name="SAMLResponse" can then be copy+paste to notepad of choice, or added to Support case as needed for further review.  

firefox6.png

Alternatively, if there are difficulties in locating the event of concern, the log can be exported in its entirety for Support review by right-clicking on any line in the Network tab content (clicking outside of a populated line won't display the required options), or click the setting (gear) icon and select the menu option "Save All As HAR"

firefox7.png

The resulting file can be attached to the Support case, if file size is less than 20MB. Otherwise, the file can be transferred via upload.delphix.com.