locked
View plain text SAML token RRS feed

  • Question

  • Hi,

    I use a SAML based scenario where WCF client acquires a token from Zermatt's STS and then accesses an external web service.
    Symmetric key encryption is in use so the SAML token in SOAP appears in non readable format.

    I'm looking for a way for viewing the SAML token in plain text (i.e. in a log file),

    Thanks,
    genady
    Tuesday, December 9, 2008 12:17 PM

Answers

  • Hi Genady,
    The wcf trace from the STS should contain entire message before encryption (including the SAML assertion token in plain text), as well as after encryption (where you won't see the SAML token)

    Similarly the wcf trace from the relying party service will should contain both the message before decryption (don't see plain text token), and after decryption (with plain text token).

    The wcf logs from the client will not show the SAML token, because it is never decrypted on the client.


    Check that the follow flags are enabled in the wcf logging section of the config:

    <messageLogging
    logEntireMessage="true"
    logMessagesAtServiceLevel="true"
    logMalformedMessages="true"
    logMessagesAtTransportLevel="true">
    </messageLogging>

    Friday, December 12, 2008 12:30 AM
    Moderator
  •  Regarding the <!-- removed --> - have a look here:

    http://msdn.microsoft.com/en-us/library/ms730318.aspx

    Dominick Baier - http://www.leastprivilege.com
    Monday, December 22, 2008 4:10 PM

All replies

  • You can view the SAML token if you turn on the WCF tracing as described in the WCF documentation.



    jlavin
    Tuesday, December 9, 2008 3:05 PM
  •   Hi ,

    Actually WCF tracing is enabled and I may see some elements in <Security> section.
    I'm interested in viewing a SAML assertion  (<saml:Assertion>) element which is supposed to be encrypted under <EncryptedData>.

    Thanks,
    genady
    Wednesday, December 10, 2008 8:08 AM
  • Hi Genady,
    The wcf trace from the STS should contain entire message before encryption (including the SAML assertion token in plain text), as well as after encryption (where you won't see the SAML token)

    Similarly the wcf trace from the relying party service will should contain both the message before decryption (don't see plain text token), and after decryption (with plain text token).

    The wcf logs from the client will not show the SAML token, because it is never decrypted on the client.


    Check that the follow flags are enabled in the wcf logging section of the config:

    <messageLogging
    logEntireMessage="true"
    logMessagesAtServiceLevel="true"
    logMalformedMessages="true"
    logMessagesAtTransportLevel="true">
    </messageLogging>

    Friday, December 12, 2008 12:30 AM
    Moderator
  • Hi,

    The config file contains those options (see below).
    Is that something else that I'm missing?

    I check up he log file and found  <!-- Removed--> stamenets. I believe that this is an encrypted data.

    Thanks,
    Genady

     

    <diagnostics>

    <messageLogging maxMessagesToLog="30000"

     

    logEntireMessage="true"

    logMessagesAtServiceLevel="true"

    logMalformedMessages="true"

    logMessagesAtTransportLevel="true">

    </messageLogging>

    </diagnostics>

    </system.serviceModel>

    <system.diagnostics>

    <sources>

    <source name="System.ServiceModel.MessageLogging">

    <listeners>

    <add type="System.Diagnostics.DefaultTraceListener" name="Default">

    <filter type="" />

    </add>

    <add name="xml">

    <filter type="" />

    </add>

    </listeners>

    </source>

    <source name="System.ServiceModel" switchValue="Verbose,ActivityTracing"

    propagateActivity="true">

    <listeners>

    <add type="System.Diagnostics.DefaultTraceListener" name="Default">

    <filter type="" />

    </add>

    <add name="xml">

    <filter type="" />

    </add>

    </listeners>

    </source>

    <source name="Microsoft.IdentityModel" switchValue="Verbose">

    <listeners>

    <add type="System.Diagnostics.DefaultTraceListener" name="Default">

    <filter type="" />

    </add>

    <add name="xml">

    <filter type="" />

    </add>

    </listeners>

    </source>

    </sources>

    <sharedListeners>

    <add initializeData="C:\Test\STS_trace.e2e" type="System.Diagnostics.XmlWriterTraceListener, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"

     

    name="xml" traceOutputOptions="Timestamp">

    <filter type="" />

    </add>

    </sharedListeners>

    <trace autoflush="true" />

    </system.diagnostics>

    Sunday, December 21, 2008 4:20 PM
  •  Regarding the <!-- removed --> - have a look here:

    http://msdn.microsoft.com/en-us/library/ms730318.aspx

    Dominick Baier - http://www.leastprivilege.com
    Monday, December 22, 2008 4:10 PM
  • Hi,

    Thanks for the link.
    After applying of the recommended instructions <-- Removed --> marks are no longer appear but
    SAML assertions still appear encrypted rather then plain text.

    Thanks,
    Genady
     
    Tuesday, December 23, 2008 12:43 PM