I’ve been working with SAML and SSO for a while now and I’ve always defaulted to using Firefox with SAML tracer. Its a fantastic plugin as it captures all network traffic and then flags SAML requests and responses before allowing you to view the SAML message in plain text. I have always wanted a similar one for Chrome, but the closest/only one I could find is the SAML Request Decoder. It is focused on the actual page itself, and thus, is useful for SAML requests, but then if there are a few transactions / redirects, then it fails to capture them. I thought this would be a great couple day project to work on.
The first step was trying to figure out how Chrome DevTool extensions work. They work off adding listeners to their API’s and then using javascript, either funnelling data the the console or, better yet, to an actual panel. My first attempt is here for saml-chrome on GitHub. It does the job pretty well in that it’ll listen to all network traffic (HAR data), parsing that, and pulling the headers, cookies and SAML messages out before spitting it out to the Console. I’m only working off POST and GET requests here as I don’t have a SOAP client for my SSO testing.
The second was the develop an actual panel to display the data. I referenced some other extensions and ended up with something that looks quite nice and functional. It is working off AngularJS for all the object binding. I thought I’ve done pretty well for my first attempt at writing one of these things. So this is saml-chrome-panel on GitHub. So this actually keeps track of the all network IN THE TAB (Chrome feature), and thus, you’ll have a record of all SAML transactions, given that the panel is open. The problem is of course, if you have a link that opens in a new tab, DevTools isn’t open, thus the traffic isn’t captured. This caveat is addressed by using this plugin – Open Link In Same Tab (brilliantly named). It gives you a contextual right-click menu to open links in the same tab.
The source is all on GitHub just as a teaching aid for people wanting to figure out how to write extensions as it was somewhat difficult to find something to reference off, especially for the panel.
The SAML Chrome Panel is now on the Chrome web store and available for download! I do hope it benefits someone out there. The one major upgrade that I’d like to do is the formatting of the SAML XML request/response to something that is formatted and coloured and just a pleasure to look at!
2 Comments