IBM Security Verify

 View Only
Expand all | Collapse all

Decrypting a Prod SAML Assertion

  • 1.  Decrypting a Prod SAML Assertion

    Posted Wed September 15, 2021 09:59 AM

    All,

    We have an issue where SAML assertions are failing and it has to be issues with the payload in the SAML assertion.  We don't have trace enabled in production due to the high load.  We are trying to identify the issue without turning the trace on.  I have 3 SAML assertions I need to take a closer look at but they are fully encrypted.

    I have used tools such as the online samltool and I am not getting the attributes.  I tried all sorts of openssl commands and that results in errors.

    Are there any other tools I am missing to make this easier?  I have tried to post the SAML assertion on our lower region that uses the same Private Key to decrypt the assertion and the trace doesn't get to a point where it decrypts it for me in the trace log.

    ------------------------------
    Troy Burkle
    ------------------------------


  • 2.  RE: Decrypting a Prod SAML Assertion

    Posted Thu September 30, 2021 02:03 AM
    You should be able to create an STS chain using SAML(validate) -> STSUU(issue), and craft a WS-Trust request to perform the validation. See: https://www.ibm.com/blogs/sweeden/using-curl-to-send-requests-to-the-tfim-security-token-service/


    ------------------------------
    Shane Weeden
    IBM
    ------------------------------