How can I test a SAML SP implementation with Postman?

We have set up our SAML SP connection to interface with our customers IdP. We do not have access to their IdP, but we do have a sample valid SAML response from their Idp. How can I utilize Postman to send a request to Auth0 to verify that Auth0 is consuming the response correctly?

If you have a valid SAML response you should be able to configure the Auth0 connection for IdP-Initiated SSO and then perform a POST request to the endpoint that consumes that assertion. See the reference docs for how to perform this configuration and also to obtain the endpoint that should consume the assertion. Also check these docs on the SAML IdP-Initiated SSO binding to see how the actual request should be performed.

You could then analyze the response, a valid SAML assertion should trigger a redirect to the client application you configured and in accordance to the protocol you also selected.

I figured I should be able to do that. I get an error when I attempt to POST to our login endpoint, but I will comb through the resources you designated and see if there is some config that I am missing.

Thank you! I will report back tomorrow.

Ok, I got the POST working. we are now receiving an error telling us that the signature is invalid. I have checked the 509 cert attribute in the SAML assertion and it matches the uploaded cert file. What could be causing a mismatch for the SignatureValue?

If you already checked that the assertion is signed by the private key associated with the public key you uploaded then my best recommendation is for you to enable the Debug Mode in the connection settings if you haven’t done so already as that may provide you with additional information.

We only have access to the public key. I found this tool: GitHub - node-saml/xml-crypto: Xml digital signature and encryption library for Node.js

and set it up locally to test the signed saml assertion. It gives the same error that Auth0 is throwing. Now, that looked to be the nail in the coffin, so we were about to contact our client, but then I came across XML buddy (http://www.xml-buddy.com/xml-digital-signatures.htm) and when I ‘verify signature’ using that tool, it says it is valid!

Is there more info I can provide to help you help me?

thanks again

Yeah, validating the assertion through other means does validate it’s indeed associated with the cert you upload, although, failing with xml-crypto is suspicious. Another relevant thing that I’m not sure is if we implement token replay detection as that could prevent your single hardcoded assertion from being reused so additional tests after for example addressing a config issue could be blocked by this check. Can you verify if the error is really about the signature and/or ask for a new assertion? Also, trying to investigate why xml-crypto fails might be wortwhile.

I have seen warnings in the logs stating the SAML assertion has been used before, but that is in addition to the ‘signature is invalid’ error.

We are waiting for a fresh assertion to test against, but also trying to pin down exactly what is going on. Our client seemed to have some confusion over whether they were using sha1 or sha2. They believed it was sha2, but we saw sha1 in all the attributes in the assertion(so we set up our Auth0 client for sha1). I am now trying to see if I can determine if the PEM file they gave us is sha1 or sha2…

Also, I set up an Auth0 account as an IdP and that worked as expected.

OK, I just noticed that the sample SAML assertion from my Auth0 IdP account also has sha1 in the attributes, i.e:

      <SignedInfo>
        <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
        <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
        <Reference URI="#_ZNymHWjd06odnEj9NOYE6XHkGoQLMa6I">
          <Transforms>
            <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
            <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
          </Transforms>
          <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
          <DigestValue>efQbQsAGFo09tG8+58tM1KKANHA=</DigestValue>
        </Reference>
      </SignedInfo>

The PEM file from Auth0 is about half the length of the cert file we have from out client… could that be an indication that they signed their cert with sha2?

Side note, I didn’t see a way to select the algorithm in auth0. Is sha1 being used for the generated cert?