首页开发工具SAML调试

SAML调试

SAML断言解析和调试,支持Base64编码/解码的SAML Response解析

🔍 断言解析
📋 SAML模板
📖 参考文档
粘贴SAML Response(Base64编码或原始XML)

SAML 2.0 AuthnRequest (SP发起)

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
  xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
  ID="_1234567890" Version="2.0"
  IssueInstant="2024-01-01T00:00:00Z"
  Destination="https://idp.example.com/sso"
  AssertionConsumerServiceURL="https://sp.example.com/acs">
  <saml:Issuer>https://sp.example.com</saml:Issuer>
  <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" AllowCreate="true"/>
</samlp:AuthnRequest>

SAML 2.0 Response

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
  ID="_response123" Version="2.0"
  IssueInstant="2024-01-01T00:00:00Z"
  Destination="https://sp.example.com/acs"
  InResponseTo="_1234567890">
  <saml:Issuer>https://idp.example.com</saml:Issuer>
  <samlp:Status>
    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
  </samlp:Status>
  <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
    ID="_assertion123" Version="2.0"
    IssueInstant="2024-01-01T00:00:00Z">
    <saml:Issuer>https://idp.example.com</saml:Issuer>
    <saml:Subject>
      <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">user@example.com</saml:NameID>
      <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
        <saml:SubjectConfirmationData
          NotOnOrAfter="2024-01-01T00:05:00Z"
          Recipient="https://sp.example.com/acs"
          InResponseTo="_1234567890"/>
      </saml:SubjectConfirmation>
    </saml:Subject>
    <saml:Conditions NotBefore="2024-01-01T00:00:00Z" NotOnOrAfter="2024-01-01T00:05:00Z">
      <saml:AudienceRestriction>
        <saml:Audience>https://sp.example.com</saml:Audience>
      </saml:AudienceRestriction>
    </saml:Conditions>
    <saml:AttributeStatement>
      <saml:Attribute Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
        <saml:AttributeValue>user@example.com</saml:AttributeValue>
      </saml:Attribute>
    </saml:AttributeStatement>
  </saml:Assertion>
</samlp:Response>

SAML 2.0 核心概念

SP (Service Provider)  → 服务提供者,用户要访问的应用
IdP (Identity Provider) → 身份提供者,认证服务

SP-Initiated: 用户从SP开始 → 重定向到IdP → 认证后返回SP
IdP-Initiated: 用户从IdP开始 → 直接跳转到SP

SAML绑定方式

HTTP-Redirect  → SAML消息通过URL参数传递(GET)
HTTP-POST      → SAML消息通过表单POST传递
HTTP-Artifact  → 传递Artifact引用,再解析获取完整消息

常见问题排查

1. 时钟偏差 → NotBefore/NotOnOrAfter时间不匹配
2. Audience不匹配 → AudienceRestriction与SP EntityID不一致
3. 签名验证失败 → 证书不匹配或XML规范化问题
4. InResponseTo不匹配 → 与AuthnRequest的ID不对应
5. Recipient不匹配 → 与ACS URL不一致

编码/解码

SP → IdP: AuthnRequest → Deflate → Base64 → URL Encode
IdP → SP: Response → Base64 → POST Form

解码步骤: URL Decode → Base64 Decode → XML
(如果先Deflate则需要先Inflate)