Forum Discussion
NimbostratusAccess denied error when trying to retrieve saml token from html body
Hi All,
I am trying to retrieve the saml token from the html body, but i received following error access denied error,
when it was trying to call the 208 url(usclssoat208.airsoatest.airservices.eds.com/affwebservices/public/saml2sso?SPID=service_provider&ProtocolBinding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST)
Please advise on this.
401 - Unauthorized: Access is denied due to invalid credentials.
Usecase: 1) Enter the url IDP url http://usclssoat208lb.airservices.eds.com/iam/code.asp
2) Siteminder challenges the user( enter credentials)
3) Internally page invoked the SSO service and grap the saml token from html body and post it to the saml assertion consumer(http://usclspcim021.airservices.eds.com/affwebservices/public/saml2assertionconsumer).
http://usclssoat208lb.airservices.eds.com/affwebservices/public/saml2sso?SPID=service_provider&ProtocolBinding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
4) Process the redirect (Siteminder issues a redirect) by grabing the Siteminder cookie (SMSESSION). Do not do the actual redirect. (grap the usclspcim021.airservices.eds.com cookie, replace the saml token with the SMCOOKIE)
5) Finally reach the landing page.
http://usclspcim021.airservices.eds.com/TestBasicAuth/finalpage.html
8 Replies
- Kevin_Stewart
Employee
Praque, you appear to have several posts relating to the same thing. Can you break down the required process a bit more, maybe with some diagrams?
praque_135655- praque_135655
Hi Kevin,
I want to retrieve the saml token from html body. Attached the code and log. i need to retrive the value from html body.
Please advice, how to retrieve the value from html body.
Code used:
when CLIENT_ACCEPTED { Get the defined pool for this VIP set default_pool [LB::server pool]
Set an initial lookup flag set gotpath 1}
when HTTP_REQUEST { set d2 [getfield [HTTP::host] "." 2] set d3 [getfield [HTTP::host] "." 3] set d4 [getfield [HTTP::host] "." 4] set d5 [getfield [HTTP::host] "." 5] set d6 [getfield [HTTP::host] "." 6] set d7 [getfield [HTTP::host] "." 7] set domain ""
foreach part "$d2 $d3 $d4 $d5 $d6 $d7" { set domain [format "%s.%s" $domain $part] } On first request (lookup flag exists) perform lookup if { $gotpath == 1 } { Save the original request set request [HTTP::request] Change URI for sideband lookup HTTP::uri "/iam/code.asp" Change pool to point to sideband web service pool Rachel_Test_208 } if { $gotpath == 0 } { HTTP::cookie insert name "SMSESSION" value $smsession path "/" domain $domain HTTP::uri "/affwebservices/public/saml2sso?SPID=service_provider&ProtocolBinding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" }}
when HTTP_RESPONSE { If response from web service if { [HTTP::cookie exists "SMSESSION"] } { set smsession "[HTTP::cookie value SMSESSION]" log local0. "smsession$smsession" set gotpath 0 }
}
Log
- Kevin_Stewart
A bit more please. Example:
- User accesses primary app VIP and is prompted for credentials
- User posts credentials
- VIP sends sideband request with user credentials to internal service
- Internal service sends back auth token
- VIP inserts auth token into request to primary app
- ...
Based on all of the previous posts, I'm starting to get a sense of what needs to happen, but if you can articulate exactly what needs to happen, when it needs to happen, and who it happens to, we can better support your requirements.
- praque_135655
Hi Kevin,
Please find the additional details
1.User accesses primary app VIP and is prompted for credentials
2.User posts credentials
3.VIP sends sideband request with user credentials to internal service
4.Internal service sends back saml token
5.VIP inserts saml token into request to primary app
-
primary app receives the saml token and generate siteminder cookie
-
Using the siteminder cookie, User can able to see the primary app landing page
Regards, Praque
-
- praque_135655
Hi All, I have used HTTP::Payload to retrieve the Saml Token, but i received only Half of the value from page, but remaining page values are not displaying using the payload option. Please advise on this.
Rule SM_SAML : requestpayload SAML 2.0 Auto-POST form Your browser does not support JavaScript. Please click the 'Continue' button below to proceed.
- Kevin_Stewart
Praque,
Still not 100% clear on what you're trying to accomplish here, but here are some recommendations.
-
The $d2-$d7 and foreach loop seem to be deriving the domain value from the requested Host header, given that the Host is a 7-level name. You can more easily accomplish the same thing with the domain command:
set domain [domain [HTTP::host] 6] -
You're likely only getting part of the payload in the HTTP_RESPONSE because it's exceeding a single TCP packet. You need to issue an HTTP::collect command in the HTTP_RESPONSE event, which will buffer the output and trigger the HTTP_RESPONSE_DATA event:
when HTTP_RESPONSE { If response from web service if { [HTTP::cookie exists "SMSESSION"] } { set smsession "[HTTP::cookie value SMSESSION]" log local0. "smsession$smsession" set gotpath 0 HTTP::collect [HTTP::header Content-Length] } } when HTTP_RESPONSE_DATA { Full payload should be available here in [HTTP::payload] }
-
- praque_135655
Hi Kevin, shall we get into a call and discuss. i have fiddler session. i will send the attachment. Please give ur phone number and mailid. i tried using the HTTP::collect and payload. But still i receiving the half of the payload.
when HTTP_RESPONSE {
if {[HTTP::header "Content-Length"] ne "" && [HTTP::header "Content-Length"] <= 4048576}{ set content_length [HTTP::header "Content-Length"] } else { set content_length 2048576 } Check if $content_length is not set to 0 if { $content_length > 0} { log local0. "content_length$content_length" HTTP::collect $content_length }}
when HTTP_RESPONSE_DATA { Full payload should be available here in [HTTP::payload] log local0. "httpresponse::[HTTP::payload]" }
Payload:
