• GlobalProtect Gateway/Portal/ Clientless VPN (including Prisma Access)
• Authentication and Captive Portal
• PAN-OS next-generation firewalls (PA-Series and VM-Series)
• Panorama web interfaces.

There are 2 ways in which a SAML response can be checked on the Browser.

Option 1: View SAML Response on the Browser's Developer Console

Google Chrome

1. Press F12 to start the developer console.
2. Select the Network tab, and then select Preserve log.
   
   
    
3. Access the Firewall IP which accepts SAML authentication requests and supply SAML credentials.
4. Once the login is successful, look for a SAML Post in the developer console pane. Select that row, and then view the Headers tab at the bottom. Look for the SAMLResponse attribute that contains the encoded request. Ensure that the “Destination” field in the SAML response is the ACS URL. The SAMLResponse attribute contains encoded request. Use a Base64 decoder to investigate the decoded response.

Google Chrome - SAML DevTools Extension

1. Install SAML DevTools Extension on Chrome browser.
2. Open Developer tools and click on the SAML tab.
3. Access Firewall IP which triggers SAML authentication. When prompted, input SAML credentials. You should now see SAML requests under the “Path” section.
4. Click on the SAML POST request and look at the SAML response. Ensure that the “Destination” field in the SAML response is the ACS URL.
5. Verify that the SAML Response/Assertion has the “Signature” section (as highlighted below) to confirm that SAML response/assertion is signed.

Mozilla Firefox

1. Press F12 to start the developer console.
2. In the upper right of the developer tools window, click options (the small gear icon).and select persistent logs.
   
   
    
3. Select the Network tab.
4. Access the Firewall IP which accepts SAML authentication requests and supply SAML credentials.
5. Once the login is successful, look for a POST SAML in the table. Select that row. In the Form Data window on the right, find the SAMLResponse element. Ensure that the “Destination” field in the SAML response is the ACS URL. The SAMLResponse attribute contains encoded request. Use a Base64 decoder to investigate the decoded response.

(Alternatively, you can install the SAML Tracer add on in Firefox. This is a tool for viewing SAML messages sent through the browser during single sign-on and single logout).

Microsoft Internet Explorer

• Network traffic in Internet Explorer can be analyzed through the use of a third-party tool.
• Download and install Fiddler and capture the data. Detailed instructions can be accessed at this link.

(SAML response data may contain sensitive security information. It is recommend to use a tool installed on your local computer to decode the data instead of an online base64 decoder so that data is not sent over the internet).

Built-in option for MacOS and Linux systems to decode Base64-Encoded SAML Response:
$ echo "base64encodedtext" | base64 --decode

Built-in option for Windows systems (PowerShell):
PS C:\> [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("base64encodedtext"))
 

Option 2: View SAML Response on Browser Page
 

1. Go to the firewall and issue the following command. Provide the IP address on firewall that accepts SAML authentication requests next to "ip-hostname". In this example, saml-url was generated for GlobalProtect client. You can also generate saml-url for Captive Portal and Admin webUI SAML clients using "generate-saml-url" command.

   • admin@9.2-New-CFW> test generate-saml-url global-protect ip-hostname <ip-address:port> authprofile SAML-Onelogin vsys vsys1

     https://10.46.42.154:443/SAML20/SP/TEST?vsys=vsys1&authprofile=SAML-Onelogin
2. Copy the above URL and paste it in your browser and supply SAML credentials. You will then see SAML response on the browser page. A SAML response or assertion with “SignedInfo” field indicates that SAML response is signed.