Technical Tip: How to read SAML Debug output

mgoswami · ‎10-04-2023

Description

This article describes how to read SAML logs with the output obtained from the following commands:

diag debug application samld -1
diag debug enable

Scope

FortiGate.

Solution

This article uses SAML login as an example.

Once the user enters the credentials and tries to connect, the following outputs will be seen in the FortiGate.

The request will come to the FortiGate and FortiGate will redirect the Client to the IDP for authentication.

Once the IDP authenticates, it will redirect the client to the SP to authorize the user.

The following is a redirection to the SAML IDP by FortiGate. This request is sent to the Client by the FortiGate.

Focus on the following fields from the log:

Destination="https://login.microsoftonline.com/3079dba8-7986-40be-abcb-85db3a9f3872/saml2" <- This is the URL to redirect to the IDP. It is the Assertion CS URL, which is configured in the FortiGate under IDP configuration.

ID: _838F60F6BF4143F97B99446E866BFDDA <- This is the ID for this request. The complete authentication process

will be identified with this ID.

Issuer: http://10.5.24.116:10443/remote/saml/metadata/ <- This will be the SP URL that is sending the redirection towards IDP to the Client. This is configured in the SAML SP configuration's Entity ID.

__samld_sp_create_auth_req [447]: SAML SP algo: 0 -> lasso=1. Binding Method: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST

__samld_sp_create_auth_req [467]:
**** AuthnRequest URL ****
https://login.microsoftonline.com/3079dba8-7986-40be-abcb-85db3a9f3872/

saml2?SAMLRequest=hZJdb5swFIb%2FCvI9YLBLwEoiJWVokdoNN
dkudjMZOLSW%2FJHZptv%2B%2FQxpu%2FZi3aVfn0c%2B7yOvHVfy

zHaTf9B38GMC56NfSmrHlosNmqxmhjvhmOYKHPM9O%2B5ub1ieYHa

2xpveSPQKeZ%2FgzoH
1wmgUHeoN%2Bl6SsilwU%2BwbmlHSVKt9VVFafCiLENX1DkVfwbow

v0EBD5BzExy081z7EOGcxBmOMTlllBHMSPUNRXXoIDT3C%2FXg%2F

dmxNJXmXuhEid4aZ0Z
vtBQakt6olOBVNXS8jFdVWcQUdxDzru%2Fi8mroCK9GUq7ydG6Wo6

gxtofF1QaNXDqYN2pDKfEIL0n7ZGUv9CD0%2FftCusuQYx9PpzZuP

x9PKNo9S7o22k0K7BH
so%2Bjhy93N30IZTq6SnCZZVrAMU0pSC8p4WFa91EXb9XxgizS7nc

n%2Fggo8H7jn6Tp9za4v3%2BRT2P9Qt0aK%2FvcsQ3H%2F73pZki2

JGOJxGWWTdmfoxShgC
C2lND%2BvLXAf1Hk7AUq3l0fffsftHw%3D%3D&RelayState=magi

c%3D229ae47d0cee7bb9
__samld_sp_create_auth_req [481]:

**** AuthnRequest ****
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:

SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML

:2.0:assertion" ID
="_838F60F6BF4143F97B99446E866BFDDA" Version="2.0"

IssueInstant="2023-10-03T14:30:39Z" Destination="https://login.microsofto
nline.com/3079dba8-7986-efgh-abcd-932b3a9f3872/saml2"

SignType="0" SignMethod="0" ForceAuthn="false" IsPassive="false" Proto
colBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"

AssertionConsumerServiceURL="https://x.x.x.x:10443/remote/sa
ml/login"><saml:Issuer>http://10.5.24.116:10443/remote/saml/

metadata/</saml:Issuer><samlp:NameIDPolicy Format="urn:oasis:nam
es:tc:SAML:1.1:nameid-format:unspecified" AllowCreate="true"/></samlp:AuthnRequest>

__samld_sp_create_auth_req [486]:
**** SP Login Dump ****
<lasso:Login xmlns:lasso="http://www.entrouvert.org/namespaces/lasso/0.0"

xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" LoginDumpVersion="2">

<lasso:Request><samlp:AuthnRequest ID="_838F60F6BF4
143F97B99446E8FDDA" Version="2.0" IssueInstant="2023-10-03T14:30:39Z"

Destination="https://login.microsoftonline.com/3079
dba8-7986-40be-abcb-85db3a9f3872/saml2" SignType="0" SignMethod="0"

ForceAuthn="false" IsPassive="false" ProtocolBinding="ur
n:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"

AssertionConsumerServiceURL="https://x.x.x.x:10443/remote/saml/login"><sam
l:Issuer>http://x.x.x.x:10443/remote/saml/metadata/</saml:Issuer>

<samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1
:nameid-format:unspecified" AllowCreate="true"/></samlp:AuthnRequest>

</lasso:Request><lasso:RemoteProviderID>https://sts.win
dows.net/3079dba8-7986-40be-abcb-85db3a9f3872/</lasso:RemoteProviderID>

<lasso:MsgUrl>https://login.microsoftonline.com/3079d
ba8-7986-40be-abcb-85db3a9f3872/saml2?SAMLRequest=hZJdb5swFIb%2FCvI9YLBL

wEoiJWVokdoNNdkudjMZOLSW%2FJHZptv%2B%2FQxpu%2FZi3aVf
n0c%2B7yOvHVfyzHaTf9B38GMC56NfSmrHlosNmqxmhjvhmOYKHPM9O%2B5ub1ieYHa2xpve

SPQKeZ%2FgzoH1wmgUHeoN%2Bl6SsilwU%2BwbmlHSVKt9VVFafC
iLENX1DkVfwbowv0EBD5BzExy081z7EOGcxBmOMTlllBHMSPUNRXXoIDT3C%2FXg%2FdmxNJ

XmXuhEid4aZ0ZvtBQakt6olOBVNXS8jFdVWcQUdxDzru%2Fi8mro
CK9GUq7ydG6Wo6gxtofF1QaNXDqYN2pDKfEIL0n7ZGUv9CD0%2FftCusuQYx9PpzZuPx9PKN

o9S7o22k0K7BHso%2Bjhy93N30IZTq6SnCZZVrAMU0pSC8p4WFa9
1EXb9XxgizS7ncn%2Fggo8H7jn6Tp9za4v3%2BRT2P9Qt0aK%2FvcsQ3H%2F73pZki2JGOJx

GWWTdmfoxShgCC2lND%2BvLXAf1Hk7AUq3l0fffsftHw%3D%3D&a
mp;RelayState=magic%3D229ae47d0cee7bb9</lasso:MsgUrl><lasso:MsgRelayState>

magic=229ae47d0cee7bb9</lasso:MsgRelayState><lasso
:HttpRequestMethod>4</lasso:HttpRequestMethod><lasso:RequestID>_838F60F6BF

4143F97B99446E866BFDDA</lasso:RequestID></lasso:Lo
gin>

This is the response received from the IDP which is received by the Client and is forwarded to the FortiGate.

Here, the SAML Authentication Statement and the SAML Attribute Statement can be seen.

The SAML Authentication Statement shows if the subject is authenticated using a provided authentication assertion method at a given time.

SAML Attribute Statement shows the provided attributes for the user.

Destination="https://10.5.24.116:10443/remote/saml/login" <- Since this is the response from IDP, the destination will be the Assertion CS URL of the SP configured in FGT.

InResponseTo="_838F60F6BF4143F97B99446E866BFDDA" <- This is the ID which the IDP has sent the response for. This will be the ID field from the above request.

IssueInstant="2023-10-03T14:30:43.494Z" <- The time when the Response was sent by the IDP.

Issuer: https://sts.windows.net/3079dba8-7986-40be-abcb-85db3a9f3872/ <- This will be the Entitity ID of the IDP.

Certificate: This is the IDP certificate imported in the FortiGate.

Match this Certificate if any Cert errors are encountered.

Recipient="https://x.x.x.x:10443/remote/saml/login" <- This will be same as the destination.

Audience: http://x.x.x.x:10443/remote/saml/metadata/ <- This will be the SP Entity ID.

Attribute Name & Attribute Value will be the attributes that are present in the IDP.

NotBefore="2023-10-03T14:25:43.316Z" NotOnOrAfter="2023-10-03T15:30:43.316Z" <- This is the assertion condition.

__samld_sp_login_resp [832]:
SP Login Response Msg Body
<samlp:Response ID="_e97609ab-3a4e-4999-b3b7-c159fc2fbdc4" Version="2.0"

IssueInstant="2023-10-03T14:30:43.496Z" Destination
="https://x.x.x.x:10443/remote/saml/login" InResponseTo="_838F60F6BF4143F97B99446E866BFDDA"

xmlns:samlp="urn:oasis:names
:tc:SAML:2.0:protocol"><Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">

https://sts.windows.net/3079dba8-5826-40be-abcb
-85db3a9f3872/</Issuer><samlp:Status><samlp:StatusCode

Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><A
ssertion ID="_91d40c9a-b665-42d1-bf93-0784cd894b00"

IssueInstant="2023-10-03T14:30:43.494Z" Version="2.0" xmlns="urn:oasis:n
ames:tc:SAML:2.0:assertion"><Issuer>https://sts.windows.net/3079dba8-7986-40be-abcb-85db3a9f3872/

</Issuer><Signature xmlns="
http://www.w3.org/2000/09/xmldsig#"><SignedInfo>

<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><
DigestValue>2Eteyv/TVn+quL1vcQmerIYAuCYVc0VfT2icwSzChDA=</DigestValue>

</Reference></SignedInfo><SignatureValue>G6C1yew577xFT
m9S3srKdI0B0Agzkby0WlENQyClWfe4FM6UUoeU/m+48WNjKbC0ZvrdNOp9VITFCDQ+lz5Z

yhDyOUfmKEGl68+9s/2zg+uzecVXKOPo6sd2SZuOYSea/8oCUrW8Z
J**bleep**Y1837NIuPVXJkQZchF7E00v/vbMfimmGktr1VYtJO1S9aAAu06t3M+OJ8R4SbGsAGBy4HZrW8XYN3RToeYeGdp3ix9VINN

adCIZbHIM1bNYATe3puTlim97
jz5D9J4SCIejJZrjGunn93fSe0f9p1TqZHz51jXW67jtE1L4D6CsjKRXTBZuV2tMDb6xw6

57DDd7CRr/w==</SignatureValue><KeyInfo><X509Data><X509
Certificate>MIIC8DCCAdigAwIBAgIQGwbw0ONvWIpJReGfr9FgMDANBgkqhkiG9w0BAQ

sFADA0MTIwMAYDVQQDEylNaWNyb3NvZnQgQXp1cmUgRmVkZXJhdGVk
IFNTTyBDZXJ0aWZpY2F0ZTAeFw0yMzA5MTIxNDEzNTlaFw0yNjA5MTIxNDEzNTJaMDQxMj

AwBgNVBAMTKU1pY3Jvc29mdCBBenVyZSBGZWRlcmF0ZWQgU1NPIENl
cnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwOT2CMuvZNqquf

oFBgRv1zS4ukg/kg6PJZkrW4b79LpCBCNT9aXD6lt5wK8z9PHpM3fc
VuQ3OVQKC31435/lEOowWD/Td8mVEeDm62qDVDCaC+iMtwUgZORRFxz8HoujAf+e2OHpAa

7BssYtL17XuXnmE5uPlrGAcWzUtDHtJhKum+FhdfEVDNCPMT33d1Dj
AV4UTD562P2+co+m3+3JRQmvkjw6YsI4DWFIV0Gb7tv4ANhAwrlQ2Wz7BrWQKf9166dEPT

8WL1h/aDNVNyVfU5GmBe3hC9ZYAXq/vPJ9FBkINyMkRHIMwrNY9RwF
mMBogATS3zH6ap2cQ7zejc1IKQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBQpGlgKCGvb4

MEPz8VHDdCePMswdbsdg/E1BNhNXja2VI/cXISpE3TEpx9owJy6qwB
yfQpNcCXPZaLpiDszFfsHSeLBksxR8dgcADTgtBe2VpS2Rn9qOxOjPVVgJdykDfrAqShoG

yibZmkeDbLRfPs7nHU8IhJxWq6PWTerxbdZIJTA1ITOrMgWO49xIwe
OJcDKqTVn56K/dkEbyETQua4hPNmNysyOSnKHtoRBloDEN0WN5KVE22V2lkuONptNkBMN8

c2MXVoyWusRAIr+7bFau3ap3dJkzy4lsyCtGvBde6M9SzYvjA/5vw3
YMqkozljAwcop78/p+8d8R68kq33</X509Certificate></X509Data></KeyInfo>

</Signature><Subject><NameID Format="urn:oasis:names:tc:S
AML:1.1:nameid-format:emailAddress">xyz.onmicrosoft.com</NameID>

<SubjectConfirmationMethod="urn:oasis:names:tc:SAML:2.0:cm:
bearer"><SubjectConfirmationData InResponseTo="_838F60F6BF4143F97B99446E866BFDDA"

NotOnOrAfter="202
3-10-03T15:30:43.316Z" Recipient="https://x.x.x.x:10443/remote/saml/login"/>

</SubjectConfirmation></Subject><Conditions
NotBefore="2023-10-03T14:25:43.316Z" NotOnOrAfter="2023-10-03T15:30:43.316Z">

<AudienceRestriction><Audience>http://x.x.x.x:10443/remote/saml/metadata/

</Audience></AudienceRestriction></Conditions><AttributeStatement><Attribute Name="http://sche
mas.microsoft.com/identity/claims/tenantid"><AttributeValue>3079dba8-7986-40be-abcb-85db3a9f3872

</AttributeValue></Attribute
><Attribute Name="http://schemas.microsoft.com/identity/claims/objectidentifier">

<AttributeValue>096dba4e-b291-47ae-8cc7-437
ca2bcbfe1</AttributeValue></Attribute><Attribute

Name="http://schemas.microsoft.com/identity/claims/displayname"><AttributeV
alue>abc</AttributeValue></Attribute><Attribute

Name="http://schemas.microsoft.com/identity/claims/identityprovider"><Att
ributeValue>https://sts.windows.net/3079dba8-7986-40be-abcb-85db3a9f3872/

</AttributeValue></Attribute><Attribute Name="http:
//schemas.microsoft.com/claims/authnmethodsreferences"><AttributeValue>

http://schemas.microsoft.com/ws/2008/06/identity/auth
enticationmethod/password</AttributeValue></Attribute>

</Attribute><Attribute Name="http://schemas.xm
lsoap.org/ws/2005/05/identity/claims/givenname"><AttributeValue>abc</AttributeValue>

</Attribute><Attribute Name="http://s
chemas.xmlsoap.org/ws/2005/05/identity/claims/surname">

<AttributeValue>xyz</AttributeValue></Attribute><Attribute Name="
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"><AttributeValue>abc@abc685gmail.onmicrosoft.com</At
tributeValue></Attribute><Attribute Name="username">

<AttributeValue>abc@abc685gmail.onmicrosoft.com</AttributeV
alue></Attribute></AttributeStatement>

urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClas
sRef></AuthnContext></AuthnStatement></Assertion></samlp:Response>
__samld_sp_login_resp [853]:

In the above Login Resp Body, the following is the Attribute Statement. An attribute statement asserts that a subject S has attribute A in namespace N with value(s) V.

<AttributeValue>096dba4e-b291-47ae-8cc7-437
ca2bcbfe1</AttributeValue></Attribute>

<Attribute Name="http://schemas.microsoft.com/identity/claims/displayname"><AttributeV
alue>manosh</AttributeValue></Attribute>

<Attribute Name="http://schemas.microsoft.com/identity/claims/identityprovider"><Att
ributeValue>https://sts.windows.net/3079dba8-7986-40be-abcb-85db3a9f3872/

</AttributeValue></Attribute><Attribute Name="http:
//schemas.microsoft.com/claims/authnmethodsreferences">

<AttributeValue>http://schemas.microsoft.com/ws/2008/06/identity/auth
enticationmethod/password</AttributeValue></Attribute>

<Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/clai
ms/wids"><AttributeValue>b79fbf4d-3ef9-4689-8143-76b194e85509

</AttributeValue></Attribute><Attribute Name="http://schemas.xm
lsoap.org/ws/2005/05/identity/claims/givenname"><AttributeValue>abc

</AttributeValue></Attribute><Attribute Name="http://s
chemas.xmlsoap.org/ws/2005/05/identity/claims/surname">

<AttributeValue>abc@abc685gmail.onmicrosoft.com</At
tributeValue></Attribute><Attribute Name="username">

<AttributeValue>abc@abcgmail.onmicrosoft.com</AttributeV
alue></Attribute></AttributeStatement>

This is the Authentication Statement. An authentication statement asserts that a subject S is authenticated to the issuing system using method M at time T.

<AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClas
sRef></AuthnContext></AuthnStatement>

Below are the attribute values that the IDP has sent:

<saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"

Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddre
ss">manosh@manoshgoswami685gmail.onmicrosoft.com</saml:NameID>
</NidAndSessionIndex>
</Session>
samld_send_common_reply [122]: Attr: 17, 27, magic=229ae47d0cee7bb9
samld_send_common_reply [122]: Attr: 18, 29, 2023-10-03T15:30:43.316Z
samld_send_common_reply [118]: Attr: 10, 95,

'http://schemas.microsoft.com/identity/claims/tenantid' '3079dba8-7986-40be
-abcb-85db3a9f3872'
samld_send_common_reply [118]: Attr: 10, 103,

'http://schemas.microsoft.com/identity/claims/objectidentifier' '096dba4e-
b291-47ae-8cc7-437ca2bcbfe1'
samld_send_common_reply [118]: Attr: 10, 68,

'http://schemas.microsoft.com/identity/claims/displayname' 'abc'
samld_send_common_reply [118]: Attr: 10, 128,

'http://schemas.microsoft.com/identity/claims/identityprovider' 'https://s
ts.windows.net/3079dba8-5486-40be-abcb-85db3a9f3872/'
samld_send_common_reply [118]: Attr: 10, 142,

'http://schemas.microsoft.com/claims/authnmethodsreferences' 'http://schem
as.microsoft.com/ws/2008/48/identity/authenticationmethod/password'
samld_send_common_reply [118]: Attr: 10, 102,

'http://schemas.microsoft.com/ws/2008/06/identity/claims/wids' 'b79fbf4d-3
ef9-5238-8143-76b194e85509'
samld_send_common_reply [118]: Attr: 10, 75,

'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname' 'abc'
samld_send_common_reply [118]: Attr: 10, 74,

'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname' 'xyz'
samld_send_common_reply [118]: Attr: 10, 108,

'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name' 'abc@xyz.onmicrosoft.com'
samld_send_common_reply [118]: Attr: 10, 58,

'username' 'abc@xyz685gmail.onmicrosoft.com' <- This is the attribute added in FortiGate. This attribute will be expected from the IDP.

samld_send_common_reply [122]: Attr: 11, 670, https://login.microsoftonline.com/

3079dba8-7986-21ax-abcb-85db3a9f3872/sam
l2?SAMLRequest=fZLNbtswEITvfQqBd0r8k0wStlDHrgEDSQ9N0UMvASXSjgCRdEkayeOHktIiDZCcFl

juN5xZ7DoqO17krT%2F7a%2Fph%2FlxNTMWzHV2U88s
GXIOTXsUhSqesiTL18n57dytJieQl%2BOR7P4I3yOeEitGENHgHiuN%2BAx52B0TFgRx2W3LDvu0azIjA

gnB2U7M94QQUv0yIeX4DMp6hGK%2Fm6GJSLuUWIhRiB
BH9iZmkSDLxGxT7nGFwKs3UY0qXKKtq9OfBlXbog4%2F%2BlLwbB2fK3tuKopXQneJwJXgDGeoMVF3fQV

7rjipxonxFqikZAe16qnI2EdpJOitjVNYlYSXGjcSIM
VoFY30yM1NZk5RWSVXr6i27CH3P%2Bznui4MPVqWPF4dLPHcGDU%2FzqDRWDeNW62BiBK1VzsfHr0s5%2

B%2Fik7NDw%2BjwNld79Cz3FfbWx%2FLzYuMj7LJO3d
XTaPLcPAmuGeqFg1zQ1ZERj2J0EhWjFWa%2B5YB1Ci8w78sv

f7n%2Fn1L4A&RelayState=magic%3D229ae47d0cee7bb9

Note: Stop the SAML debugging with the following command:

diag debug disable

diag debug application samld 0

mauromarme · ‎10-05-2023

Really good information.
SAML is a protocol that provides (from my perspective) more security than LDAP or Radius so it is being implemented more and more by customers.
For troubleshooting purposes it is important to know what means each SAML message/process. This makes easier to identify the problem.

Technical Tip: How to read SAML Debug output

You are leaving our website