IBM Support

How to decode a SAML response when it is encoded

Troubleshooting


Problem

When federated users have issues logging in, we require a SAML trace to determine if the assertion has the exact required attributes: firstName, lastName, country and emailAddress. Sometimes when a SAML trace is taken, the response is encoded. This must be decoded before the investigation can proceed.

Symptom

SAML trace provided by the customer has this type of response (the response has been snipped to save space): 
SAMLResponse=PD94bWwgdmVyc2lvbj  <snip> wyOkFzc2VydGlvbj48L3NhbWwycDpSZXNwb25zZT4%3D&RelayState=uuid22e22a01-016c-1986-b566-d3302c8ac5b3

Environment

  • Planning Analytics on Cloud
  • Federated users or domain

Resolving The Problem

There are many different options to decode an encoded SAML response, below are just 2 of those. Fiddler can be replaced with any HTTP Archive viewer that provides the SAML response in Base64. There are also many online SAML Response decoders. For security reasons, the options below do not use an online option.
Option 1 - Notepad++
  1. Open provided SAML trace in Fiddler.
  2. On the left hand side, click on the URL "/idaas/mtfim/sps/idaas/saml20/login" as this will provide the encoded SAML response
  3. On the right hand side, click on the "WebForms" tab; you should now see 2 body values: SAMLResponse and Body.
  4. Copy the SAMLResponse value and paste into Notepad++
  5. Use CTRL+A to select the value pasted into Notepad++ and then choose from the toolbar Plugins > MIME Tools > SAML Decode or Base64 Decode
  6. (Optional) If you have the XML Plugin, you can use Plugins > XML Tools > Print Pretty (XML only  - with line breaks) to make it easier to read
Continue troubleshooting by looking for the 4 required attributes to identify potential incomplete assertions: 
  • saml2:Attribute Name="country"
  • saml2:Attribute Name="lastName"
  • saml2:Attribute Name="firstName"
  • saml2:Attribute Name="emailAddress"
Option 2 - Using Powershell
  1. Open provided SAML trace in Fiddler.
  2. On the left hand side, click on the URL "/idaas/mtfim/sps/idaas/saml20/login" as this will provide the encoded SAML response
  3. On the right hand side, click on the "WebForms" tab; you should now see 2 body values: SAMLResponse and Body.
  4. Copy the SAMLResponse value and paste into any text editor and save as saml_encoded.txt
  5. Create a powershell script with the following (alter the inputFilePath and outputFilePath as required)
       $inputFilePath = "C:\saml_encoded.txt"
       $outputFilePath = "C:\saml_decoded.txt"
       $PEBytes = [System.Convert]::FromBase64String([IO.File]::ReadAllText($InputFilePath))  
       [System.IO.File]::WriteAllBytes($outputFilePath, $PEBytes);
6. Run script in Powershell to decode SAML response.
Continue troubleshooting by looking for the 4 required attributes to identify potential incomplete assertions: 
  • saml2:Attribute Name="country"
  • saml2:Attribute Name="lastName"
  • saml2:Attribute Name="firstName"
  • saml2:Attribute Name="emailAddress"

Related Information

Federation Guide

Document Location

Worldwide

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSD29G","label":"IBM Planning Analytics"},"Component":"","Platform":[{"code":"PF033","label":"Windows"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
20 September 2021

UID

ibm10960326

Page Feedback