Troubleshooting
Problem
When federated users have issues logging in, we require a SAML trace to determine if the assertion has the exact required attributes: firstName, lastName, country and emailAddress. Sometimes when a SAML trace is taken, the response is encoded. This must be decoded before the investigation can proceed.
Symptom
SAML trace provided by the customer has this type of response (the response has been snipped to save space):
SAMLResponse=PD94bWwgdmVyc2lvbj <snip> wyOkFzc2VydGlvbj48L3NhbWwycDpSZXNwb25zZT4%3D&RelayState=uuid22e22a01-016c-1986-b566-d3302c8ac5b3
Environment
- Planning Analytics on Cloud
- Federated users or domain
Resolving The Problem
There are many different options to decode an encoded SAML response, below are just 2 of those. Fiddler can be replaced with any HTTP Archive viewer that provides the SAML response in Base64. There are also many online SAML Response decoders. For security reasons, the options below do not use an online option.
Option 1 - Notepad++
- Open provided SAML trace in Fiddler.
- On the left hand side, click on the URL "/idaas/mtfim/sps/idaas/saml20/login" as this will provide the encoded SAML response
- On the right hand side, click on the "WebForms" tab; you should now see 2 body values: SAMLResponse and Body.
- Copy the SAMLResponse value and paste into Notepad++
- Use CTRL+A to select the value pasted into Notepad++ and then choose from the toolbar Plugins > MIME Tools > SAML Decode or Base64 Decode
- (Optional) If you have the XML Plugin, you can use Plugins > XML Tools > Print Pretty (XML only - with line breaks) to make it easier to read
Continue troubleshooting by looking for the 4 required attributes to identify potential incomplete assertions:
- saml2:Attribute Name="country"
- saml2:Attribute Name="lastName"
- saml2:Attribute Name="firstName"
- saml2:Attribute Name="emailAddress"
Option 2 - Using Powershell
- Open provided SAML trace in Fiddler.
- On the left hand side, click on the URL "/idaas/mtfim/sps/idaas/saml20/login" as this will provide the encoded SAML response
- On the right hand side, click on the "WebForms" tab; you should now see 2 body values: SAMLResponse and Body.
- Copy the SAMLResponse value and paste into any text editor and save as saml_encoded.txt
- Create a powershell script with the following (alter the inputFilePath and outputFilePath as required)
$inputFilePath = "C:\saml_encoded.txt"
$outputFilePath = "C:\saml_decoded.txt"
$PEBytes = [System.Convert]::FromBase64String([IO.File]::ReadAllText($InputFilePath))
[System.IO.File]::WriteAllBytes($outputFilePath, $PEBytes);
$outputFilePath = "C:\saml_decoded.txt"
$PEBytes = [System.Convert]::FromBase64String([IO.File]::ReadAllText($InputFilePath))
[System.IO.File]::WriteAllBytes($outputFilePath, $PEBytes);
6. Run script in Powershell to decode SAML response.
Continue troubleshooting by looking for the 4 required attributes to identify potential incomplete assertions:
- saml2:Attribute Name="country"
- saml2:Attribute Name="lastName"
- saml2:Attribute Name="firstName"
- saml2:Attribute Name="emailAddress"
Related Information
Document Location
Worldwide
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSD29G","label":"IBM Planning Analytics"},"Component":"","Platform":[{"code":"PF033","label":"Windows"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]
Was this topic helpful?
Document Information
Modified date:
20 September 2021
UID
ibm10960326