KB485437: How to capture SAML request and response messages using SAML Chrome Panel

What are SAML messages?

SAML authentication works by exchanging user information between the Identity Provider (IDP) and the Service Provider (SP) through SAML messages. These contain details such as user login, authentication state, audience and relevant attributes such as group memberships, full name, etc. 
The Service Provider, here a Strategy application, creates a SAML request which informs the IDP that a user intends to authenticate. This SAML request will be submitted by the client browser, attached to a HTTP(S) request to the SAML endpoint of the IDP. The Identity Provider will process the SAML request, request the user to authenticate and subsequently provide a SAML response that is forwarded back to the SP by the client browser. 

What is SAML Chrome Panel?

SAML messages can be captured using HTTP tracing tools. SAML Chrome Panel is an add-on for Google Chrome, that allows to capture and read SAML request and responses in Chrome Developer Tools.

How to install SAML Chrome Panel?

1. Go to Google Chrome Web Store: https://chrome.google.com/webstore
2. Search for SAML Chrome Panel
3. Select “Add to Chrome”

How to use SAML Chrome Panel?

1. Open Google Chrome
2. Open Chrome Developer Tools by going to Chrome Menu > More Tools > Developer Tools.

1. Select the SAML tab:

1. In the URL bar, type the address of the SAML enabled Strategy application and complete the authentication. The SAML Chrome Panel will show the SAML messages exchanged, if any as seen below:

1. The SAML request and response can either be copied into a text file or exported to JSON using the export button.

What to look for in the SAML response?

Common authentication issues leading to an “Error on Login” error page may include:

1. Audience restriction does not correspond to SP entity ID specified on the Strategy SAML configuration page.

1. Authentication statement is too old.

Action

• For Strategy applications older than M2021 Update 4, refer to: https://community.Strategy.com/s/article/KB440621-Authentication-statement-is-too-old-error-preventing-user-from-login-into-Strategy-using-SAML?language=en_US.
• For Strategy applications M2021 Update 4 or newer, refer to: https://www2.Strategy.com/producthelp/Current/SystemAdmin/WebHelp/Lang_1033/Content/saml_customization_web.htm#set_auth_age

 
Common issues after SAML authentication completed but user is unable to log into a Strategy project may include:

1. NameID value does not correspond to user logon name set in the Strategy user editor

1. User information such as full name and group membership do not reflect after login. Verify that the attribute names for user information and groups correspond exactly to the name set in mstrSamlConfig.xml:

THIRD PARTY SOFTWARE INSTALLATION WARNING:
The third-party product(s) discussed in this technical note is manufactured by vendors independent of Strategy. Strategy makes no warranty, express, implied or otherwise, regarding this product, including its performance or reliability.