I am working with a new application that doesn’t seem to like when a person has multiple roles assigned to them … however, I first need to prove that is the problem. Luckily, your browser gets the SAML response and you can actually see the Role entitlements that are being sent. Just need to parse them out of the big 80 meg file that a simple “go here and log on” generates!<\/p>\n\n\n\n
To gather data to be parsed, open the Dev Tools for the browser tab. Click the settings gear icon and select “Persist Logs”. Reproduce the scenario – navigate to the site, log in. Then save the dev tools session as a HAR file. The following Python script will analyze the file, extract any SAML response tokens, and print them in a human-readable format. <\/p>\n\n\n
\n################################################################################\n# This script reads a HAR file, identifies HTTP requests and responses containing\n# SAML tokens, and decodes "SAMLResponse" values.\n#\n# The decoded SAML assertions are printed out for inspection in a readable format.\n#\n# Usage:\n# - Update the str_har_file_path with your HAR file\n################################################################################\n# Editable Variables\nstr_har_file_path = 'SumoLogin.har'\n\n# Imports\nimport json\nimport base64\nimport urllib.parse\nfrom xml.dom.minidom import parseString\n\n################################################################################\n# This function decodes SAML responses found within the HAR capture\n# Args: \n# saml_response_encoded(str): URL encoded, base-64 encoded SAML response\n# Returns:\n# string: decoded string\n################################################################################\ndef decode_saml_response(saml_response_encoded):\n url_decoded = urllib.parse.unquote(saml_response_encoded)\n base64_decoded = base64.b64decode(url_decoded).decode('utf-8')\n return base64_decoded\n\n################################################################################\n# This function finds and decodes SAML tokens from HAR entries.\n#\n# Args:\n# entries(list): A list of HTTP request and response entries from a HAR file.\n#\n# Returns:\n# list: List of decoded SAML assertion response strings.\n################################################################################\ndef find_saml_tokens(entries):\n saml_tokens = []\n for entry in entries:\n request = entry['request']\n response = entry['response']\n \n if request['method'] == 'POST':\n request_body = request.get('postData', {}).get('text', '')\n \n if 'SAMLResponse=' in request_body:\n saml_response_encoded = request_body.split('SAMLResponse=')[1].split('&')[0]\n saml_tokens.append(decode_saml_response(saml_response_encoded))\n \n response_body = response.get('content', {}).get('text', '')\n \n if response.get('content', {}).get('encoding') == 'base64':\n response_body = base64.b64decode(response_body).decode('utf-8', errors='ignore')\n \n if 'SAMLResponse=' in response_body:\n saml_response_encoded = response_body.split('SAMLResponse=')[1].split('&')[0]\n saml_tokens.append(decode_saml_response(saml_response_encoded))\n \n return saml_tokens\n\n################################################################################\n# This function converts XML string to an XML dom object formatted with\n# multiple lines with heirarchital indentations\n#\n# Args:\n# xml_string (str): The XML string to be pretty-printed.\n#\n# Returns:\n# dom: A pretty-printed version of the XML string.\n################################################################################\ndef pretty_print_xml(xml_string):\n dom = parseString(xml_string)\n return dom.toprettyxml(indent=" ")\n\n# Load HAR file with UTF-8 encoding\nwith open(str_har_file_path, 'r', encoding='utf-8') as file:\n har_data = json.load(file)\n\nentries = har_data['log']['entries']\n\nsaml_tokens = find_saml_tokens(entries)\nfor token in saml_tokens:\n print("Decoded SAML Token:")\n print(pretty_print_xml(token))\n print('-' * 80)\n<\/pre><\/div>\n\n\n<\/p>\n","protected":false},"excerpt":{"rendered":"
I am working with a new application that doesn’t seem to like when a person has multiple roles assigned to them … however, I first need to prove that is the problem. Luckily, your browser gets the SAML response and you can actually see the Role entitlements that are being sent. Just need to parse …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[30],"tags":[664,1701,326],"class_list":["post-11332","post","type-post","status-publish","format-standard","hentry","category-system-administration","tag-python","tag-saml","tag-sso"],"_links":{"self":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/11332","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=11332"}],"version-history":[{"count":1,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/11332\/revisions"}],"predecessor-version":[{"id":11333,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/11332\/revisions\/11333"}],"wp:attachment":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=11332"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=11332"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=11332"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}