Instruction to creating a SAML trace

This document is designed to help you perform a SAML trace in order to solve authentication problems. If possible, we recommend that you install the SAML-tracer extension for your browser. This will greatly simplify the whole process. This is also possible via the browser's developer console.

Before you start the SAML trace, you should close all other browser windows and clear the browser cache. Send us the trace file along with a screenshot of the entire browser window, including the URL you are trying to access.

System requirements

Supported operating systems:
Windows 10/11

Supported browsers:
Microsoft Edge version 124.0.2478.51 or later
Firefox version 37.0.2 or later

How to clear the browser cache

Note:
You can use the key combination Ctrl + Shift + Del to quickly access the menu to clear your cache.

Creating a SAML trace

SAML traces can be created with the add-on or without the add-on.
Some companies may have a policy that blocks the installation of add-ons. In this case, use the variant without the add-on.

SAML-tracer with add-on

With Microsoft Edge browser

As Edge is based on Chromium, it must be authorised to install the add-on from the Chrome Web Store. If the browser has only recently been installed, this option is probably already activated. In this case, you can skip this step and continue with step 2.
  1. Allow installation
    • Navigate to the Extensions page at the top right of the window by clicking on the icon and then on Extensions.
    • Activate the option Allow extensions from other stores, which you can see in the left sidebar of the page.
  2. Install add-on
    Go to the following website: SAML-Tracer Edge
Performing a SAML trace
After you have successfully installed the add-on, and to ensure that you do not have an active session, you should clear your browser's cache ( see system requirements for instructions) and restart the browser.
  1. Open the SAML-tracer. You will find the symbol at the top right of the browser, next to the address bar (example SAML-tracer).
  2. A new window will open and the tracer will start automatically.
    You can click on the X Clear button to reset the tracer before proceeding to the next step.
  3. Navigate to the service you want to sign in to.
  4. Attempt to sign in.
  5. Follow the steps in the "Export to a file" section to safely export the trace after signing in.
Export to a file
  1. Click on the Export button in the taskbar of the "SAML-tracer" window.
  2. Select Mask values to hide sensitive information from the trace. Further information can be found under "Data protection and masking values".
  3. Click on Export.
  4. Give the file a name and a storage location.
  5. Send the file by email to your support team.

With Mozilla Firefox browser

Perform the following steps:
  1. Open Firefox.
  2. Go to the following website: SAML-Tracer Mozilla
  3. Select Add to Firefox
  4. Click Add to add the plugin to your browser.
  5. Tick the checkbox to allow the plugin to work in a private window. Then click Okay to confirm.
Performing a SAML trace
After you have successfully installed the add-on, and to ensure that you do not have an active session, you should clear your browser's cache ( see system requirements for instructions) and restart the browser.
  1. Open the SAML-tracer. You will find the icon in the top right-hand corner next to the "hamburger menu“ () to the right of the address bar.
  2. A new window will open and the tracer will start automatically. You can click on the X Clear button to reset the tracer before proceeding to the next step.
  3. Navigate to the service you want to sign in to.
  4. Attempt to sign in.
  5. Follow the steps in the "Export to a file" section to safely export the trace after logging in.
Export to a file
  1. Click on the Export button in the taskbar of the "SAML-tracer" window.
  2. Select Mask values to hide sensitive information from the trace. Further information can be found under "Data protection and masking values".
  3. Click on Export.
  4. Give the file a name and a storage location.
  5. Send the file by email to your support team.

SAML trace without add-on (HAR file)

With Microsoft Edge browser

Perform the following steps:
  1. Click on the Menu (⋯) button at the top right and select More tools > Developer tools.
  2. In the window that appears, select the Network tab. (as shown in the screenshot below)
  3. Make sure that the round recording button in the top left corner of the tab is red. If it is grey, single-click on the button to start recording. 4.
  4. Tick the checkbox to allow the plugin to work in a private window.
  5. Reproduce the problem while the network requests are being recorded. 6.
  6. Click on the Export HAR button to download the file and save it on your computer: Save as HAR with content.
  7. Send the file by email to your support team.

With Mozilla Firefox browser

Perform the following steps:
  1. Click the menu button () and select More tools > Web Developer Tools.
  2. Reproduce the problem while the network requests are being recorded.
  3. Right-click on any free space on the Network tab under Developer tools and click on Save all as HAR.
  4. Save the HAR file to your computer.
  5. Send the file by email to your support team.


Data protection and security
A SAML trace contains valuable information for the user or support team to investigate what happens during authentication. The SAML-tracer collects session cookies and information that the user enters in the browser. In addition, a tracer can also collect privacy-sensitive information in the form of attributes such as the organisation name and email address when this information is exchanged between parties. Therefore, the content of a SAML trace should be treated as sensitive information.

Data protection and masking values
To prevent the unintentional disclosure of sensitive information, the SAML-tracer provides the user with several options to mask or remove this information when saving the trace to a file. There are three options:

  • None – the trace is saved unaltered, the values are not masked.
  • Mask values – masks cookies and POST arguments with their SHA-1 hash value. This makes the information more difficult to read. This is the default option.
  • Remove values – removes cookies and POST arguments. The content of the SAML messages is saved. A SAML message can still contain sensitive cookie information if it is generated by an "IdP-initiated" login. However, this data has a timeframe of 5 minutes, ensuring that attackers only have a very limited time to use stolen data.