SSO with SAML login scenario in JMeter
SAML(Security Assertion Markup Language) is increasingly being used to perform single sign-on(SSO) operations. As WikiPedia puts it, SAML is an XML-based open standard data format for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. With the rise in use of SAML in web applications, we may need to handle this in JMeter. This step-by-step tutorial shows SAML JMeter scenario to perform login operation.
- First request from JMeter is a GET request to fetch Login page. We need to fetch two values ‘SAMLRequest’ and ‘RelayState’ from the Login page response data. We can do this by using Regular Expression Extractor. These two values need to be sent in POST request to service provider. Refer below image to see how to do this.
- We will get an HTML login page as a response to the request sent in 1st step. We need to fetch values of some hidden elements to pass it in the next request. We can do this by using Regular Expression Extractor.
- This request is the actual login transaction. We need to pass parameters such as username, password and step 2 hidden values in POST request. The response of this request will have SAMLResponse parameter which we need to fetch and send it to the next step. We won’t be able to use Regular Expression Extractor here as it cannot process XML properly. We will use XPath Extractor element for that reason. Refer below image to see how we can use XPath Extractor.
- We need to pass SAMLResponse value to the next POST request which will be processed and user will be authenticated.
We hope the above steps explaining SAML JMeter scenario would be useful in implementing SSO in your web application. Let us know in comments if you have any queries or if you know a better way to handle SAML requests in JMeter.
Comments
could you share the jmeter script (.jmx) where could you test sp initiated SSO using openam both as a SP and IDOP ?
Please help me i struck in the last one i got the SAMLResponse and posted, but it says
the below error, please help me.
Error 404–Not Found
From RFC 2068 Hypertext Transfer Protocol — HTTP/1.1:
10.4.5 404 Not Found
The server has not found anything matching the Request-URI. No indication is given of whether the condition is temporary or permanent.
If the server does not wish to make this information available to the client, the status code 403 (Forbidden) can be used instead. The 410 (Gone) status code SHOULD be used if the server knows, through some internally configurable mechanism, that an old resource is permanently unavailable and has no forwarding address.
Hi,
Can you please provide more information into SSO with jmeter, If possible with an example(sample Script).
I have prepared script for SAML SSO. I am only getting SAML Request and passing it to next request and capturing SAML Repsonse and passing it to next request.
Jmeter script is not able to login , Please let me know how to fetch values of some hidden elements to pass it in the next request ?
We are getting SAMLResponse from Link#1 and passing it to Link#2 correctly. There seems to be some hidden ID/token that gets generated in link#1 and gets passed to link#2, which we are not able to detect. If we record the script live, it gets pass and on replaying the same script with regular expression extractors, it is failing.
SAMLResponse XML Extractor seems to be written with respect to a rendered HTML, which is missing here.